This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Issue Nat Outbond Palo Alto

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Issue Nat Outbond Palo Alto

niam77
L1 Bithead

‎07-04-2024 04:54 AM

i got an issue, while sometimes my fortimail is unable connect to internet, and for my fortimail to able connect to internet again i disable and enable my nat policy, is there any bug related to that because i got this every day

 

niam77_0-1720093967736.png

here is my nat policy

Preview file
24 KB
0 Likes Likes
5 REPLIES 5

SutareMayur
Cyber Elite
Cyber Elite

‎07-05-2024 08:17 AM

Hi @niam77 Why you have both directions NAT configured? Do you want it to be available from Internet also?

 

During issue time, did you check the traffic logs to understand what's happening? Is it matching NAT statement when issue is present ?

M
0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite

‎07-05-2024 11:57 AM

Hello,

Disable the policy NAT 85 in your picture as it is not required. Also I hope this external IP is used only for the Fortimail, if yes, set the Bi-Directional to yes.

 

Regards,

0 Likes Likes

niam77
L1 Bithead
In response to SutareMayur

‎07-05-2024 01:25 PM

yes, i need fortimail to get internet, because during issue my fortimail can't send email to outbond and while i trace from fortimail packet stop at palo alto, and while i disable and re-enable nat policy no.86 my fortimail is back to normal and can send email to outbond, while in my palo alto traffci log it show application incomplete

0 Likes Likes

niam77
L1 Bithead
In response to OtakarKlier

‎07-05-2024 01:27 PM

unfortunately, my external ip public is used by two ip address, and here is my detail issue, my fortimail can't send email to outbond and while i trace from fortimail packet stop at palo alto, and while i disable and re-enable nat policy no.86 my fortimail is back to normal and can send email to outbond

0 Likes Likes

jkvalk59s
L1 Bithead

‎07-06-2024 06:39 AM - edited ‎07-06-2024 06:41 AM

Your policy names are confusingly reversed (regarding what is in/out) but that's not relevant here. I don't see anything specifically wrong here and as you're saying - it is an intermittent/runtime issue, it works and then it does not work - meaning as if the configuration is fine, just that something happens in the data plane.

 

This tells me that some in-depth debugging of the sessions and packets is required, you can take packet captures, trace down and investigate sessions, etc., but it may also be basis for a support case. If you get lucky, they may find something in the tech support file or it may be a known issue.

 

I understand you can't initiate this situation to reproduce it, but once it happens, you can keep if for some time so that it can be investigated. E-mail servers usually try to re-send an e-mail for 4 to 8 hours so if you keep it broken for a few hours, there should only be a delay but no actual data loss for the users.

Good advice is expensive but free advice is never appreciated
0 Likes Likes
  • 179 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks