Hello Andreas, You are correct. You do need a route on the firewall pointing the dynamic, untrust IP address towards the DMZ interface. If you are only expecting 443 traffic on this dynamic address, then you could accomplish this with just a static route. If you are expecting to receive 443 and other services on this IP address however, then you do need a PBF policy. You can still filter by application and you could use a bi-directional NAT as well. I've not encountered any problems with PBF and app filter so I cannot comment on that, but they are designed to work in harmony if configured correctly. For your last question, yes, you can translate the destination port from your untrust traffic(444) to a different port(443) using NAT. The NAT statement would look something like the following: Note that the NAT policy permits Untrust to Untrust but the security policy needs to permit Untrust to DMZ. See the following document for more information regarding NAT on the Palo Alto. https://live.paloaltonetworks.com/docs/DOC-1517 Regards, tasonibare
... View more