08-10-2020 06:49 AM - edited 04-27-2021 11:39 AM
@shafi021 it looks like @BPry got you taken care of with his reply. I would just add that even if your firewall isn't using a public IP, and your ISP was doing a source NAT on your outbound traffic, I wouldn't expect it to be doing any source NAT on the return traffic. You would most likely see that the return traffic has the proper public IPs. Also, the return traffic for established connections (those initiated from your LAN to the Internet) should be allowed anyway.
You would most likely only have an issue w/ RFC1918 traffic going from your Public zone to your LAN zone if you were both 1) using private IPs on your firewall's Public interface because your ISP is doing source NAT, and 2) needing some other device on the network between your firewall and ISP's device (the Public zone according to the firewall, but the private side according to the ISP's NAT device) to the firewall's LAN zone.
If you're interested in a more comprehensive BOGON list than just RFC1918, I'm a fan of CYMRU's Full Bogon list, which also includes public IP ranges not yet allocated by IANA. It can be used as an external dynamic list (EDL) on the Palo Alto firewall.
https://team-cymru.com/community-services/bogon-reference/bogon-reference-http/
