- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-25-2017 07:24 AM
Palo first checks if traffic flows on permitted ip/port.
Then identifies application.
Then does threat.
And if traffic passes all checks then IP is changed in the packet.
Every interface belongs to zone.
If traffic enters firewall it comes from zone and SOURCE ZONE NEVER CHANGES.
Now if it is SNAT (traffic that comes from DMZ to Untrust) then in NAT policy source zone is DMZ and destination zone is Untrust. Same in security policy.
Different story is with DNAT if traffic comes from Untrust and goes to DMZ.
Traffic comes from Untrust zone because it enters firewall from interface that is in Untrust zone.
Now as traffic is destined to your public IP that according to routing table is in Untrust zone your NAT zones are:
Untrust > Untrust and from any source IP to your wan IP.
NAT is evaluated and destination zone is changed in packet metadata BUT NOT DESTINATION IP.
Security policy is checked when IP is still destined to original public IP so zone config matches correct destination zone:
Untrust > DMZ but IP is still wan IP.
🙂