This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Who rated this post

Raido_Rattameister
Cyber Elite
Cyber Elite

‎07-25-2017 07:24 AM

Palo first checks if traffic flows on permitted ip/port.

Then identifies application.

Then does threat.

And if traffic passes all checks then IP is changed in the packet.

 

Every interface belongs to zone.

If traffic enters firewall it comes from zone and SOURCE ZONE NEVER CHANGES.

 

Now if it is SNAT (traffic that comes from DMZ to Untrust) then in NAT policy source zone is DMZ and destination zone is Untrust. Same in security policy.

 

Different story is with DNAT if traffic comes from Untrust and goes to DMZ.

Traffic comes from Untrust zone because it enters firewall from interface that is in Untrust zone.

Now as traffic is destined to your public IP that according to routing table is in Untrust zone your NAT zones are:

Untrust > Untrust and from any source IP to your wan IP.

 

NAT is evaluated and destination zone is changed in packet metadata BUT NOT DESTINATION IP.

 

Security policy is checked when IP is still destined to original public IP so zone config matches correct destination zone:

Untrust > DMZ but IP is still wan IP.

 

🙂

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
(1)
Who rated this post
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks