07-31-2024 05:28 AM
How do I get a detailed list of all NAT/PATs in the firewall. From what I can find nothing shows all the translatoins. I need to see an internal private IP translated to an external public IP, one for one.
07-31-2024 09:49 AM
You can go to the Policies->NAT, at the bottom click the "PDF/CSV" page and it will spit out a CSV of all the displayed NAT rules (filtered using the terms in the search box at the top if you entered values there). The CSV will contain columns for the source IP/Zone and translated source/destination type/IP/options. Note 1: The address (both source and destination) will be the value entered in the config... so that may be an IP address, or it may be the address object name, if an object name was used in the config. You may have to convert the value. Note 2: Pay attention to the translation option "bi-directional: yes" which means that that rule automatically creates a reciprocal rule with the source/translation values reversed.
07-31-2024 10:18 AM - edited 07-31-2024 10:34 AM
Hi @mccoyb ,
If you run the "show session all" command you will see the the NATed IP addresses for all of your sessions.
67137512 ldap ACTIVE FLOW NS 192.168.55.218[62453]/trust-L3/17 (10.66.22.55[17114])
vsys1 10.66.22.243[389]/dmz-L3 (10.66.22.243[389])
This example was taken from this document -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsVCAS.
In this example, 192.168.55.218 is NATed to 10.66.22.55. (It is a lab NGFW.) So, you can see all of the current NAT translations on the NGFW equivalent to the Cisco "show ip nat translations" or "show xlate".
You can use filters as explained in the document to show only the traffic you want.
Thanks,
Tom
PS You can also enable additional columns in the Monitor tab. Please see this post and scroll down to the pictures. https://live.paloaltonetworks.com/t5/general-topics/nat-sessions/td-p/50186
07-31-2024 12:25 PM
Thanks for the reponse. I saw this in my research but since all flows are included I guess I didn't see the tree for the forest. The site I am looking at has a lot of traffic and only about 20 NATs.
07-31-2024 01:10 PM
Hi @mccoyb ,
Good point. The filters are very useful. Check this one out:
user@ngfw(active)> show session all filter nat
both Both source and destination NAT
destination Destination NAT
none No NAT
source Source NATYou can limit the sessions to only source NAT, destination NAT, or both. You could also add columns and filter in the GUI.
Thanks,
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
