SlideShare a Scribd company logo

Palo alto networks NAT flow logic

Alberto Rivai
Alberto Rivai

The document provides examples and explanations of network address translation (NAT) configurations on Palo Alto Networks next-generation firewalls. It shows how NAT policies work with security policies to translate source and destination IP addresses and apply firewall rules. The first example demonstrates static destination NAT to map any internal address to a single public address. The second example uses source NAT to map a DMZ subnet to an internal address. Flow charts illustrate how the firewall evaluates zones, NAT rules, security rules and applies address translations at each step.

1 of 36
Downloaded 926 times
Palo Alto Networks Network Address Translation For Dummies Alberto Rivai, CCIE, CISSP Senior Systems Engineer ANZ
NAT Example 1 static destination NAT 2 | ©2014, Palo Alto Networks. Confidential and Proprietary. NAT Policy Security Policy
3 | ©2014, Palo Alto Networks. Confidential and Proprietary. Example 1 3 | ©2014, Palo Alto Networks. Confidential and Proprietary. Internal Internet Untrust zone Trust zone 172.17.1.40   102.100.88.90
Example 2 4 | ©2014, Palo Alto Networks. Confidential and Proprietary. Security Policy NAT Policy
Example 2 5 | ©2014, Palo Alto Networks. Confidential and Proprietary. DMZ Internal Internet Untrust zone Trust zone DMZ zone 104.150.226.0/24   172.17.1.39  
Flow Logic of the Next-Generation Firewall Initial Packet Processing Source Zone/ Address/ User-ID PBF/ Forwarding Lookup Destination Zone NAT Policy Evaluated Security Pre-Policy Check Allowed Ports Session Created Application Check for Encrypted Traffic Decryption Policy Application Override Policy App-ID Security Policy Check Security Policy Check Security Profiles Post Policy Processing Re-Encrypt Traffic NAT Policy Applied Packet Forwarded 6    |    ©2014,  Palo  Alto  Networks.  Confiden@al  and  Proprietary  
NAT Example 1 static destination NAT 7 | ©2014, Palo Alto Networks. Confidential and Proprietary. NAT Policy Security Policy
8 | ©2014, Palo Alto Networks. Confidential and Proprietary. Source Address Any Destination Address 102.100.88.90 1 PANOS Zone and IP Address Processing flow
9 | ©2014, Palo Alto Networks. Confidential and Proprietary. Source Address Any Destination Address 102.100.88.90 PANOS assigns Source Zone based on interface packet ingress; Assigns Destination Zone based on interface packet would egress from Source Zone Untrust Destination Zone Untrust Source Address Any Destination Address 102.100.88.90 1 2 PANOS Zone and IP Address Processing flow
10 | ©2014, Palo Alto Networks. Confidential and Proprietary. Source Address Any Destination Address 102.100.88.90 PANOS assigns Source Zone based on interface packet ingress; Assigns Destination Zone based on interface packet would egress from Source Zone Untrust Destination Zone Untrust Source Address Any Destination Address 102.100.88.90 NAT rulebase checked for a matching rule 1 2 3 PANOS Zone and IP Address Processing flow
11 | ©2014, Palo Alto Networks. Confidential and Proprietary. Source Address Any Destination Address 102.100.88.90 PANOS assigns Source Zone based on interface packet ingress; Assigns Destination Zone based on interface packet would egress from Source Zone Untrust Destination Zone Untrust Source Address Any Destination Address 102.100.88.90 NAT rulebase checked for a matching rule PANOS checks the interface the packet will egress from; Changes Destination Zone if necessary Source Zone Untrust Destination Zone Trust Source Address Any Destination Address 102.100.88.90 1 2 3 4 PANOS Zone and IP Address Processing flow
12 | ©2014, Palo Alto Networks. Confidential and Proprietary. Source Address Any Destination Address 102.100.88.90 PANOS assigns Source Zone based on interface packet ingress; Assigns Destination Zone based on interface packet would egress from Source Zone Untrust Destination Zone Untrust Source Address Any Destination Address 102.100.88.90 NAT rulebase checked for a matching rule PANOS checks the interface the packet will egress from; Changes Destination Zone if necessary Source Zone Untrust Destination Zone Trust Source Address Any Destination Address 102.100.88.90 Security rulebase checked for a matching rule 1 2 3 4 5 PANOS Zone and IP Address Processing flow
13 | ©2014, Palo Alto Networks. Confidential and Proprietary. Source Address Any Destination Address 102.100.88.90 PANOS assigns Source Zone based on interface packet ingress; Assigns Destination Zone based on interface packet would egress from Source Zone Untrust Destination Zone Untrust Source Address Any Destination Address 102.100.88.90 NAT rulebase checked for a matching rule PANOS checks the interface the packet will egress from; Changes Destination Zone if necessary Source Zone Untrust Destination Zone Trust Source Address Any Destination Address 102.100.88.90 Security rulebase checked for a matching rule Source and/or Destination IP address re-written per NAT rules 1 2 3 4 5 6 PANOS Zone and IP Address Processing flow
14 | ©2014, Palo Alto Networks. Confidential and Proprietary. Source Address Any Destination Address 102.100.88.90 PANOS assigns Source Zone based on interface packet ingress; Assigns Destination Zone based on interface packet would egress from Source Zone Untrust Destination Zone Untrust Source Address Any Destination Address 102.100.88.90 NAT rulebase checked for a matching rule PANOS checks the interface the packet will egress from; Changes Destination Zone if necessary Source Zone Untrust Destination Zone Trust Source Address Any Destination Address 102.100.88.90 Security rulebase checked for a matching rule Source and/or Destination IP address re-written per NAT rules Source Address Any Destination Address 172.16.1.40 1 2 3 4 5 6 7 PANOS Zone and IP Address Processing flow
Example 2 15 | ©2014, Palo Alto Networks. Confidential and Proprietary. Security Policy NAT Policy DMZ Internal Internet Untrust zone Trust zone DMZ zone 104.150.226.0/24   172.17.1.39  
16 | ©2014, Palo Alto Networks. Confidential and Proprietary. Source Address Any Destination Address 104.160.226.80 1 PANOS Zone and IP Address Processing flow
17 | ©2014, Palo Alto Networks. Confidential and Proprietary. Source Address Any Destination Address 104.160.226.80 PANOS assigns Source Zone based on interface packet ingress; Assigns Destination Zone based on interface packet would egress from 1 2 PANOS Zone and IP Address Processing flow Source Zone Untrust Destination Zone DMZ Source Address Any Destination Address 104.160.226.80
18 | ©2014, Palo Alto Networks. Confidential and Proprietary. Source Address Any Destination Address 104.160.226.80 PANOS assigns Source Zone based on interface packet ingress; Assigns Destination Zone based on interface packet would egress from Source Zone Untrust Destination Zone DMZ Source Address Any Destination Address 104.160.226.80 NAT rulebase checked for a matching rule PANOS checks the interface the packet will egress from; Changes Destination Zone if necessary 1 2 3 PANOS Zone and IP Address Processing flow
19 | ©2014, Palo Alto Networks. Confidential and Proprietary. Source Address Any Destination Address 104.160.226.80 PANOS assigns Source Zone based on interface packet ingress; Assigns Destination Zone based on interface packet would egress from Source Zone Untrust Destination Zone DMZ Source Address Any Destination Address 104.160.226.80 NAT rulebase checked for a matching rule PANOS checks the interface the packet will egress from; Changes Destination Zone if necessary Source Zone Untrust Destination Zone Trust Source Address Any Destination Address 104.160.226.80 1 2 3 4 PANOS Zone and IP Address Processing flow
20 | ©2014, Palo Alto Networks. Confidential and Proprietary. Source Address Any Destination Address 104.160.226.80 PANOS assigns Source Zone based on interface packet ingress; Assigns Destination Zone based on interface packet would egress from Source Zone Untrust Destination Zone DMZ Source Address Any Destination Address 104.160.226.80 NAT rulebase checked for a matching rule PANOS checks the interface the packet will egress from; Changes Destination Zone if necessary Source Zone Untrust Destination Zone Trust Source Address Any Destination Address 104.160.226.80 Security rulebase checked for a matching rule Source and/or Destination IP address re-written per NAT rules 1 2 3 4 5 6 PANOS Zone and IP Address Processing flow
21 | ©2014, Palo Alto Networks. Confidential and Proprietary. Source Address Any Destination Address 104.160.226.80 PANOS assigns Source Zone based on interface packet ingress; Assigns Destination Zone based on interface packet would egress from Source Zone Untrust Destination Zone DMZ Source Address Any Destination Address 104.160.226.80 NAT rulebase checked for a matching rule PANOS checks the interface the packet will egress from; Changes Destination Zone if necessary Source Zone Untrust Destination Zone Trust Source Address Any Destination Address 104.160.226.80 Security rulebase checked for a matching rule Source and/or Destination IP address re-written per NAT rules 1 2 3 4 5 6 PANOS Zone and IP Address Processing flow
22 | ©2014, Palo Alto Networks. Confidential and Proprietary. Source Address Any Destination Address 104.160.226.80 PANOS assigns Source Zone based on interface packet ingress; Assigns Destination Zone based on interface packet would egress from Source Zone Untrust Destination Zone DMZ Source Address Any Destination Address 104.160.226.80 NAT rulebase checked for a matching rule PANOS checks the interface the packet will egress from; Changes Destination Zone if necessary Source Zone Untrust Destination Zone Trust Source Address Any Destination Address 104.160.226.80 Security rulebase checked for a matching rule Source and/or Destination IP address re-written per NAT rules Source Address Any Destination Address 172.16.1.39 1 2 3 4 5 6 7 PANOS Zone and IP Address Processing flow
NAT Policy Logic §  Source and Destination zones on NAT policy are evaluated pre-NAT based on the routing table §  Example 1: if you are translating traffic that is incoming to an internal server (which is reached via a public IP by Internet users), it is necessary to configure the NAT policy using the zone in which the public IP address resides. §  Example 2 :if you are translating traffic that is incoming to an internal server (which is reached via a public IP by Internet users and that public IP is routed to a DMZ zone), it is necessary to configure the NAT policy using the DMZ zone §  Original IP addresses are ALWAYS used with rules, no matter which policy. Why ? Because address translation does not actually happen until the packet egresses the firewall. §  The ONLY zone that may change from the original packet during processing is the Destination Zone.
Destination NAT Policy configuration 24 | ©2014, Palo Alto Networks. Confidential and Proprietary. The zone where the source ip coming from ( i.e internet zone ) The zone of the natted IP. To check which zone, execute the below command “show routing route destination <natted ip subnet/ mask>”, then check interface’s zone Original source address Natted IP Real IP
Source NAT §  PAN-OS supports the following options for source translation: §  Dynamic-ip-and-port (DIPP) §  Dynamic-ip (DIP) §  Static IP 25 | ©2014, Palo Alto Networks. Confidential and Proprietary.
DIP NAT §  In this form of NAT, the original source port number is left intact. Only the source IP address will be translated. §  When using the dynamic-ip type of source NAT, the size of the NAT pool must be equal to the number of the internal hosts that require address translation. If all the IP addresses in the pool are in use, any connections from new hosts cannot be address translated and hence will be dropped. New sessions from hosts with established sessions with NAT will be allowed. 26 | ©2014, Palo Alto Networks. Confidential and Proprietary.
DIPP NAT §  For translating both the source IP address AND port numbers, DIPP ( dynamic IP and port ) type of translation must be used §  This form of NAT is also commonly referred to as interface-based NAT or network address port translation ( NAPT ) §  On Cisco routers §  NAT Overload §  Juniper Netscreen §  PAT 27 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Translated IPs 28 | ©2014, Palo Alto Networks. Confidential and Proprietary.
When do we need oversubscription §  use case 1 §  When you have an “X” number of public IP and need more than “X” x 64511 NAT sessions 29 | ©2014, Palo Alto Networks. Confidential and Proprietary.
NAT capacity ( PA3050) 30 | ©2014, Palo Alto Networks. Confidential and Proprietary. Maximum NAT rules combined ( Static, DIP and DIPP ) Maximum Static NAT Maximum DIP NAT Maximum DIPP NAT Maximum DIP IPs Maximum DIPP IPs with oversubscription off ( 1x ) Default oversubscription ( source IP and port being reused 2x, different destination IP ) 800
DIPP oversubscription §  Useable # ports : §  65535 – 1024 = 64511 §  Example maximum number of PA3050 NAT DIPP sessions §  Default DIPP oversubscription for PA3050 is 2x §  If you are using 1 public IP and use default DIPP oversubscription 2x §  1 x 64511 x 2 = 129,022 NAT sessions §  Maximum number of NAT sessions for PA3050 when max DIPP (8x) is being used §  ( 800 max translated address / 8 max oversub ) x 8 x 64511 = 51,608,000 NAT sessions §  This is assuming all sessions going to different destinations 31 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Example oversub 1x 32 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Example oversub 8x 33 | ©2014, Palo Alto Networks. Confidential and Proprietary.
NAT CLI Command §  Check DIPP/DIP rule capacity 34 | ©2014, Palo Alto Networks. Confidential and Proprietary.
35 | ©2014, Palo Alto Networks. Confidential and Proprietary.
36 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Ad

Recommended

01- intro to firewall concepts
01- intro to firewall concepts01- intro to firewall concepts
01- intro to firewall concepts
Mostafa El Lathy
 
10 palo alto nat policy concepts
10 palo alto nat policy concepts10 palo alto nat policy concepts
10 palo alto nat policy concepts
Mostafa El Lathy
 
16 palo alto ssl decryption policy concept
16 palo alto ssl decryption policy concept16 palo alto ssl decryption policy concept
16 palo alto ssl decryption policy concept
Mostafa El Lathy
 
11 palo alto user-id concepts
11 palo alto user-id concepts11 palo alto user-id concepts
11 palo alto user-id concepts
Mostafa El Lathy
 
7 palo alto security zones &amp; interfaces concepts
7 palo alto security zones &amp; interfaces concepts7 palo alto security zones &amp; interfaces concepts
7 palo alto security zones &amp; interfaces concepts
Mostafa El Lathy
 
17 palo alto threat prevention concept
17 palo alto threat prevention concept17 palo alto threat prevention concept
17 palo alto threat prevention concept
Mostafa El Lathy
 
3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overview3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overview
Mostafa El Lathy
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewalls
Castleforce
 
Roaming behavior and Client Troubleshooting
Roaming behavior and Client TroubleshootingRoaming behavior and Client Troubleshooting
Roaming behavior and Client Troubleshooting
Aruba, a Hewlett Packard Enterprise company
 
9 palo alto virtual routers concept (routing on palo alto)
9 palo alto virtual routers concept (routing on palo alto)9 palo alto virtual routers concept (routing on palo alto)
9 palo alto virtual routers concept (routing on palo alto)
Mostafa El Lathy
 
VXLAN Design and Deployment.pdf
VXLAN Design and Deployment.pdfVXLAN Design and Deployment.pdf
VXLAN Design and Deployment.pdf
NelAlv1
 
Fortigate Training
Fortigate TrainingFortigate Training
Fortigate Training
NCS Computech Ltd.
 
6 pan-os software update &amp; downgrade instruction
6 pan-os software update &amp; downgrade instruction6 pan-os software update &amp; downgrade instruction
6 pan-os software update &amp; downgrade instruction
Mostafa El Lathy
 
Access Management with Aruba ClearPass
Access Management with Aruba ClearPassAccess Management with Aruba ClearPass
Access Management with Aruba ClearPass
Aruba, a Hewlett Packard Enterprise company
 
20 palo alto site to site
20 palo alto site to site20 palo alto site to site
20 palo alto site to site
Mostafa El Lathy
 
2 what is the best firewall (sizing)
2 what is the best firewall (sizing)2 what is the best firewall (sizing)
2 what is the best firewall (sizing)
Mostafa El Lathy
 
12 palo alto app-id concept
12 palo alto app-id concept12 palo alto app-id concept
12 palo alto app-id concept
Mostafa El Lathy
 
FortiGate_Sec_02_Security Fabric (1).pptx
FortiGate_Sec_02_Security Fabric (1).pptxFortiGate_Sec_02_Security Fabric (1).pptx
FortiGate_Sec_02_Security Fabric (1).pptx
NajahIdrissiMoulayRa
 
Azure vnet
Azure vnetAzure vnet
Azure vnet
zekeLabs Technologies
 
VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building Blocks
APNIC
 
Presentacion Palo Alto Networks
Presentacion Palo Alto NetworksPresentacion Palo Alto Networks
Presentacion Palo Alto Networks
Laurent Daudré-Vignier
 
Palo alto-review
Palo alto-reviewPalo alto-review
Palo alto-review
Rayan Darine
 
5 initial access to palo alto using cli
5 initial access to palo alto using cli5 initial access to palo alto using cli
5 initial access to palo alto using cli
Mostafa El Lathy
 
14 palo alto quality of service(qos) concept
14 palo alto quality of service(qos) concept14 palo alto quality of service(qos) concept
14 palo alto quality of service(qos) concept
Mostafa El Lathy
 
Aruba Mobility Controllers
Aruba Mobility ControllersAruba Mobility Controllers
Aruba Mobility Controllers
Aruba, a Hewlett Packard Enterprise company
 
Useful cli commands v1
Useful cli commands v1Useful cli commands v1
Useful cli commands v1
Aruba, a Hewlett Packard Enterprise company
 
Aruba Webinar - 1-29-15
Aruba Webinar - 1-29-15Aruba Webinar - 1-29-15
Aruba Webinar - 1-29-15
Aruba, a Hewlett Packard Enterprise company
 
13 palo alto url web filtering concept
13 palo alto url web filtering concept13 palo alto url web filtering concept
13 palo alto url web filtering concept
Mostafa El Lathy
 
Marrion Kujinga ; Firewalls
Marrion Kujinga ; FirewallsMarrion Kujinga ; Firewalls
Marrion Kujinga ; Firewalls
Marrion Kujinga
 
firewalls-detailed-explanation-1223144.ppt
firewalls-detailed-explanation-1223144.pptfirewalls-detailed-explanation-1223144.ppt
firewalls-detailed-explanation-1223144.ppt
specialabszg
 
Ad

More Related Content

What's hot (20)

Roaming behavior and Client Troubleshooting
Roaming behavior and Client TroubleshootingRoaming behavior and Client Troubleshooting
Roaming behavior and Client Troubleshooting
Aruba, a Hewlett Packard Enterprise company
 
9 palo alto virtual routers concept (routing on palo alto)
9 palo alto virtual routers concept (routing on palo alto)9 palo alto virtual routers concept (routing on palo alto)
9 palo alto virtual routers concept (routing on palo alto)
Mostafa El Lathy
 
VXLAN Design and Deployment.pdf
VXLAN Design and Deployment.pdfVXLAN Design and Deployment.pdf
VXLAN Design and Deployment.pdf
NelAlv1
 
Fortigate Training
Fortigate TrainingFortigate Training
Fortigate Training
NCS Computech Ltd.
 
6 pan-os software update &amp; downgrade instruction
6 pan-os software update &amp; downgrade instruction6 pan-os software update &amp; downgrade instruction
6 pan-os software update &amp; downgrade instruction
Mostafa El Lathy
 
Access Management with Aruba ClearPass
Access Management with Aruba ClearPassAccess Management with Aruba ClearPass
Access Management with Aruba ClearPass
Aruba, a Hewlett Packard Enterprise company
 
20 palo alto site to site
20 palo alto site to site20 palo alto site to site
20 palo alto site to site
Mostafa El Lathy
 
2 what is the best firewall (sizing)
2 what is the best firewall (sizing)2 what is the best firewall (sizing)
2 what is the best firewall (sizing)
Mostafa El Lathy
 
12 palo alto app-id concept
12 palo alto app-id concept12 palo alto app-id concept
12 palo alto app-id concept
Mostafa El Lathy
 
FortiGate_Sec_02_Security Fabric (1).pptx
FortiGate_Sec_02_Security Fabric (1).pptxFortiGate_Sec_02_Security Fabric (1).pptx
FortiGate_Sec_02_Security Fabric (1).pptx
NajahIdrissiMoulayRa
 
Azure vnet
Azure vnetAzure vnet
Azure vnet
zekeLabs Technologies
 
VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building Blocks
APNIC
 
Presentacion Palo Alto Networks
Presentacion Palo Alto NetworksPresentacion Palo Alto Networks
Presentacion Palo Alto Networks
Laurent Daudré-Vignier
 
Palo alto-review
Palo alto-reviewPalo alto-review
Palo alto-review
Rayan Darine
 
5 initial access to palo alto using cli
5 initial access to palo alto using cli5 initial access to palo alto using cli
5 initial access to palo alto using cli
Mostafa El Lathy
 
14 palo alto quality of service(qos) concept
14 palo alto quality of service(qos) concept14 palo alto quality of service(qos) concept
14 palo alto quality of service(qos) concept
Mostafa El Lathy
 
Aruba Mobility Controllers
Aruba Mobility ControllersAruba Mobility Controllers
Aruba Mobility Controllers
Aruba, a Hewlett Packard Enterprise company
 
Useful cli commands v1
Useful cli commands v1Useful cli commands v1
Useful cli commands v1
Aruba, a Hewlett Packard Enterprise company
 
Aruba Webinar - 1-29-15
Aruba Webinar - 1-29-15Aruba Webinar - 1-29-15
Aruba Webinar - 1-29-15
Aruba, a Hewlett Packard Enterprise company
 
13 palo alto url web filtering concept
13 palo alto url web filtering concept13 palo alto url web filtering concept
13 palo alto url web filtering concept
Mostafa El Lathy
 
Roaming behavior and Client Troubleshooting
Roaming behavior and Client TroubleshootingRoaming behavior and Client Troubleshooting
Roaming behavior and Client Troubleshooting
Aruba, a Hewlett Packard Enterprise company
 
9 palo alto virtual routers concept (routing on palo alto)
9 palo alto virtual routers concept (routing on palo alto)9 palo alto virtual routers concept (routing on palo alto)
9 palo alto virtual routers concept (routing on palo alto)
Mostafa El Lathy
 
VXLAN Design and Deployment.pdf
VXLAN Design and Deployment.pdfVXLAN Design and Deployment.pdf
VXLAN Design and Deployment.pdf
NelAlv1
 
Fortigate Training
Fortigate TrainingFortigate Training
Fortigate Training
NCS Computech Ltd.
 
6 pan-os software update &amp; downgrade instruction
6 pan-os software update &amp; downgrade instruction6 pan-os software update &amp; downgrade instruction
6 pan-os software update &amp; downgrade instruction
Mostafa El Lathy
 
Access Management with Aruba ClearPass
Access Management with Aruba ClearPassAccess Management with Aruba ClearPass
Access Management with Aruba ClearPass
Aruba, a Hewlett Packard Enterprise company
 
20 palo alto site to site
20 palo alto site to site20 palo alto site to site
20 palo alto site to site
Mostafa El Lathy
 
2 what is the best firewall (sizing)
2 what is the best firewall (sizing)2 what is the best firewall (sizing)
2 what is the best firewall (sizing)
Mostafa El Lathy
 
12 palo alto app-id concept
12 palo alto app-id concept12 palo alto app-id concept
12 palo alto app-id concept
Mostafa El Lathy
 
FortiGate_Sec_02_Security Fabric (1).pptx
FortiGate_Sec_02_Security Fabric (1).pptxFortiGate_Sec_02_Security Fabric (1).pptx
FortiGate_Sec_02_Security Fabric (1).pptx
NajahIdrissiMoulayRa
 
Azure vnet
Azure vnetAzure vnet
Azure vnet
zekeLabs Technologies
 
VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building Blocks
APNIC
 
Presentacion Palo Alto Networks
Presentacion Palo Alto NetworksPresentacion Palo Alto Networks
Presentacion Palo Alto Networks
Laurent Daudré-Vignier
 
Palo alto-review
Palo alto-reviewPalo alto-review
Palo alto-review
Rayan Darine
 
5 initial access to palo alto using cli
5 initial access to palo alto using cli5 initial access to palo alto using cli
5 initial access to palo alto using cli
Mostafa El Lathy
 
14 palo alto quality of service(qos) concept
14 palo alto quality of service(qos) concept14 palo alto quality of service(qos) concept
14 palo alto quality of service(qos) concept
Mostafa El Lathy
 
Aruba Mobility Controllers
Aruba Mobility ControllersAruba Mobility Controllers
Aruba Mobility Controllers
Aruba, a Hewlett Packard Enterprise company
 
Useful cli commands v1
Useful cli commands v1Useful cli commands v1
Useful cli commands v1
Aruba, a Hewlett Packard Enterprise company
 
Aruba Webinar - 1-29-15
Aruba Webinar - 1-29-15Aruba Webinar - 1-29-15
Aruba Webinar - 1-29-15
Aruba, a Hewlett Packard Enterprise company
 
13 palo alto url web filtering concept
13 palo alto url web filtering concept13 palo alto url web filtering concept
13 palo alto url web filtering concept
Mostafa El Lathy
 

Similar to Palo alto networks NAT flow logic (20)

Marrion Kujinga ; Firewalls
Marrion Kujinga ; FirewallsMarrion Kujinga ; Firewalls
Marrion Kujinga ; Firewalls
Marrion Kujinga
 
firewalls-detailed-explanation-1223144.ppt
firewalls-detailed-explanation-1223144.pptfirewalls-detailed-explanation-1223144.ppt
firewalls-detailed-explanation-1223144.ppt
specialabszg
 
Firewalls
FirewallsFirewalls
Firewalls
Akhil Sharma
 
WIRELESS NETWORK
WIRELESS NETWORKWIRELESS NETWORK
WIRELESS NETWORK
prakash m
 
WIRELESS NETWORKS
WIRELESS NETWORKSWIRELESS NETWORKS
WIRELESS NETWORKS
dsit1234
 
IMS ENUM & DNS Mechanism
IMS ENUM & DNS MechanismIMS ENUM & DNS Mechanism
IMS ENUM & DNS Mechanism
Houman Sadeghi Kaji
 
Firewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth FirewallsFirewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth Firewalls
phanleson
 
WIRELESS NETWORKS EC6802 BABU unit 1 & 2 PPT
WIRELESS NETWORKS EC6802 BABU unit 1 & 2 PPTWIRELESS NETWORKS EC6802 BABU unit 1 & 2 PPT
WIRELESS NETWORKS EC6802 BABU unit 1 & 2 PPT
babuece
 
H323 support.docx
H323 support.docxH323 support.docx
H323 support.docx
Thái Trương Đình
 
Cohesive Networks Support Docs: VNS3 Setup for Juniper
Cohesive Networks Support Docs: VNS3 Setup for JuniperCohesive Networks Support Docs: VNS3 Setup for Juniper
Cohesive Networks Support Docs: VNS3 Setup for Juniper
Cohesive Networks
 
NAT64 Overview
NAT64 OverviewNAT64 Overview
NAT64 Overview
Salachudin Emir
 
IT6601 MOBILE COMPUTING
IT6601 MOBILE COMPUTINGIT6601 MOBILE COMPUTING
IT6601 MOBILE COMPUTING
Kathirvel Ayyaswamy
 
Firewalls (6)
Firewalls (6)Firewalls (6)
Firewalls (6)
Bhargu Bhargavi
 
Hybrid IP PBX February 2014
Hybrid IP PBX February 2014Hybrid IP PBX February 2014
Hybrid IP PBX February 2014
Matrixcomsec Ttg
 
Module (10) NAT for IPV4.pptx
Module (10) NAT for IPV4.pptxModule (10) NAT for IPV4.pptx
Module (10) NAT for IPV4.pptx
GeorgeThoreJr
 
Webinar NETGEAR Prosafe Switch, la sicurezza della LAN
Webinar NETGEAR Prosafe Switch, la sicurezza della LANWebinar NETGEAR Prosafe Switch, la sicurezza della LAN
Webinar NETGEAR Prosafe Switch, la sicurezza della LAN
Netgear Italia
 
Make the internet safe with DNS Firewall
Make the internet safe with DNS FirewallMake the internet safe with DNS Firewall
Make the internet safe with DNS Firewall
Bangladesh Network Operators Group
 
Routing Concept with detail discussion and practical knowledge
Routing Concept with detail discussion and practical knowledgeRouting Concept with detail discussion and practical knowledge
Routing Concept with detail discussion and practical knowledge
zamna8043
 
Cs8601 3
Cs8601 3Cs8601 3
Cs8601 3
Kathirvel Ayyaswamy
 
Cs8601 3
Cs8601 3Cs8601 3
Cs8601 3
Kathirvel Ayyaswamy
 
Marrion Kujinga ; Firewalls
Marrion Kujinga ; FirewallsMarrion Kujinga ; Firewalls
Marrion Kujinga ; Firewalls
Marrion Kujinga
 
firewalls-detailed-explanation-1223144.ppt
firewalls-detailed-explanation-1223144.pptfirewalls-detailed-explanation-1223144.ppt
firewalls-detailed-explanation-1223144.ppt
specialabszg
 
Firewalls
FirewallsFirewalls
Firewalls
Akhil Sharma
 
WIRELESS NETWORK
WIRELESS NETWORKWIRELESS NETWORK
WIRELESS NETWORK
prakash m
 
WIRELESS NETWORKS
WIRELESS NETWORKSWIRELESS NETWORKS
WIRELESS NETWORKS
dsit1234
 
IMS ENUM & DNS Mechanism
IMS ENUM & DNS MechanismIMS ENUM & DNS Mechanism
IMS ENUM & DNS Mechanism
Houman Sadeghi Kaji
 
Firewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth FirewallsFirewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth Firewalls
phanleson
 
WIRELESS NETWORKS EC6802 BABU unit 1 & 2 PPT
WIRELESS NETWORKS EC6802 BABU unit 1 & 2 PPTWIRELESS NETWORKS EC6802 BABU unit 1 & 2 PPT
WIRELESS NETWORKS EC6802 BABU unit 1 & 2 PPT
babuece
 
H323 support.docx
H323 support.docxH323 support.docx
H323 support.docx
Thái Trương Đình
 
Cohesive Networks Support Docs: VNS3 Setup for Juniper
Cohesive Networks Support Docs: VNS3 Setup for JuniperCohesive Networks Support Docs: VNS3 Setup for Juniper
Cohesive Networks Support Docs: VNS3 Setup for Juniper
Cohesive Networks
 
NAT64 Overview
NAT64 OverviewNAT64 Overview
NAT64 Overview
Salachudin Emir
 
IT6601 MOBILE COMPUTING
IT6601 MOBILE COMPUTINGIT6601 MOBILE COMPUTING
IT6601 MOBILE COMPUTING
Kathirvel Ayyaswamy
 
Firewalls (6)
Firewalls (6)Firewalls (6)
Firewalls (6)
Bhargu Bhargavi
 
Hybrid IP PBX February 2014
Hybrid IP PBX February 2014Hybrid IP PBX February 2014
Hybrid IP PBX February 2014
Matrixcomsec Ttg
 
Module (10) NAT for IPV4.pptx
Module (10) NAT for IPV4.pptxModule (10) NAT for IPV4.pptx
Module (10) NAT for IPV4.pptx
GeorgeThoreJr
 
Webinar NETGEAR Prosafe Switch, la sicurezza della LAN
Webinar NETGEAR Prosafe Switch, la sicurezza della LANWebinar NETGEAR Prosafe Switch, la sicurezza della LAN
Webinar NETGEAR Prosafe Switch, la sicurezza della LAN
Netgear Italia
 
Make the internet safe with DNS Firewall
Make the internet safe with DNS FirewallMake the internet safe with DNS Firewall
Make the internet safe with DNS Firewall
Bangladesh Network Operators Group
 
Routing Concept with detail discussion and practical knowledge
Routing Concept with detail discussion and practical knowledgeRouting Concept with detail discussion and practical knowledge
Routing Concept with detail discussion and practical knowledge
zamna8043
 
Cs8601 3
Cs8601 3Cs8601 3
Cs8601 3
Kathirvel Ayyaswamy
 
Cs8601 3
Cs8601 3Cs8601 3
Cs8601 3
Kathirvel Ayyaswamy
 
Ad

More from Alberto Rivai (8)

FUEL - Strata Cloud Management - Master Deck.pdf
FUEL - Strata Cloud Management - Master Deck.pdfFUEL - Strata Cloud Management - Master Deck.pdf
FUEL - Strata Cloud Management - Master Deck.pdf
Alberto Rivai
 
Palo Alto Networks CASB
Palo Alto Networks CASBPalo Alto Networks CASB
Palo Alto Networks CASB
Alberto Rivai
 
Palo Alto Networks authentication
Palo Alto Networks authenticationPalo Alto Networks authentication
Palo Alto Networks authentication
Alberto Rivai
 
Cisco Wireless LAN Controller Palo Alto Networks Config Guide
Cisco Wireless LAN Controller Palo Alto Networks Config GuideCisco Wireless LAN Controller Palo Alto Networks Config Guide
Cisco Wireless LAN Controller Palo Alto Networks Config Guide
Alberto Rivai
 
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using YubikeyPalo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Alberto Rivai
 
User Expert forum Wildfire configuration
User Expert forum Wildfire configurationUser Expert forum Wildfire configuration
User Expert forum Wildfire configuration
Alberto Rivai
 
User id installation and configuration
User id installation and configurationUser id installation and configuration
User id installation and configuration
Alberto Rivai
 
User expert forum user-id
User expert forum user-idUser expert forum user-id
User expert forum user-id
Alberto Rivai
 
FUEL - Strata Cloud Management - Master Deck.pdf
FUEL - Strata Cloud Management - Master Deck.pdfFUEL - Strata Cloud Management - Master Deck.pdf
FUEL - Strata Cloud Management - Master Deck.pdf
Alberto Rivai
 
Palo Alto Networks CASB
Palo Alto Networks CASBPalo Alto Networks CASB
Palo Alto Networks CASB
Alberto Rivai
 
Palo Alto Networks authentication
Palo Alto Networks authenticationPalo Alto Networks authentication
Palo Alto Networks authentication
Alberto Rivai
 
Cisco Wireless LAN Controller Palo Alto Networks Config Guide
Cisco Wireless LAN Controller Palo Alto Networks Config GuideCisco Wireless LAN Controller Palo Alto Networks Config Guide
Cisco Wireless LAN Controller Palo Alto Networks Config Guide
Alberto Rivai
 
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using YubikeyPalo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Alberto Rivai
 
User Expert forum Wildfire configuration
User Expert forum Wildfire configurationUser Expert forum Wildfire configuration
User Expert forum Wildfire configuration
Alberto Rivai
 
User id installation and configuration
User id installation and configurationUser id installation and configuration
User id installation and configuration
Alberto Rivai
 
User expert forum user-id
User expert forum user-idUser expert forum user-id
User expert forum user-id
Alberto Rivai
 
Ad

Recently uploaded (20)

DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 

Palo alto networks NAT flow logic

  • 1. Palo Alto Networks Network Address Translation For Dummies Alberto Rivai, CCIE, CISSP Senior Systems Engineer ANZ
  • 2. NAT Example 1 static destination NAT 2 | ©2014, Palo Alto Networks. Confidential and Proprietary. NAT Policy Security Policy
  • 3. 3 | ©2014, Palo Alto Networks. Confidential and Proprietary. Example 1 3 | ©2014, Palo Alto Networks. Confidential and Proprietary. Internal Internet Untrust zone Trust zone 172.17.1.40   102.100.88.90
  • 4. Example 2 4 | ©2014, Palo Alto Networks. Confidential and Proprietary. Security Policy NAT Policy
  • 5. Example 2 5 | ©2014, Palo Alto Networks. Confidential and Proprietary. DMZ Internal Internet Untrust zone Trust zone DMZ zone 104.150.226.0/24   172.17.1.39  
  • 6. Flow Logic of the Next-Generation Firewall Initial Packet Processing Source Zone/ Address/ User-ID PBF/ Forwarding Lookup Destination Zone NAT Policy Evaluated Security Pre-Policy Check Allowed Ports Session Created Application Check for Encrypted Traffic Decryption Policy Application Override Policy App-ID Security Policy Check Security Policy Check Security Profiles Post Policy Processing Re-Encrypt Traffic NAT Policy Applied Packet Forwarded 6    |    ©2014,  Palo  Alto  Networks.  Confiden@al  and  Proprietary  
  • 7. NAT Example 1 static destination NAT 7 | ©2014, Palo Alto Networks. Confidential and Proprietary. NAT Policy Security Policy
  • 8. 8 | ©2014, Palo Alto Networks. Confidential and Proprietary. Source Address Any Destination Address 102.100.88.90 1 PANOS Zone and IP Address Processing flow
  • 9. 9 | ©2014, Palo Alto Networks. Confidential and Proprietary. Source Address Any Destination Address 102.100.88.90 PANOS assigns Source Zone based on interface packet ingress; Assigns Destination Zone based on interface packet would egress from Source Zone Untrust Destination Zone Untrust Source Address Any Destination Address 102.100.88.90 1 2 PANOS Zone and IP Address Processing flow
  • 10. 10 | ©2014, Palo Alto Networks. Confidential and Proprietary. Source Address Any Destination Address 102.100.88.90 PANOS assigns Source Zone based on interface packet ingress; Assigns Destination Zone based on interface packet would egress from Source Zone Untrust Destination Zone Untrust Source Address Any Destination Address 102.100.88.90 NAT rulebase checked for a matching rule 1 2 3 PANOS Zone and IP Address Processing flow
  • 11. 11 | ©2014, Palo Alto Networks. Confidential and Proprietary. Source Address Any Destination Address 102.100.88.90 PANOS assigns Source Zone based on interface packet ingress; Assigns Destination Zone based on interface packet would egress from Source Zone Untrust Destination Zone Untrust Source Address Any Destination Address 102.100.88.90 NAT rulebase checked for a matching rule PANOS checks the interface the packet will egress from; Changes Destination Zone if necessary Source Zone Untrust Destination Zone Trust Source Address Any Destination Address 102.100.88.90 1 2 3 4 PANOS Zone and IP Address Processing flow
  • 12. 12 | ©2014, Palo Alto Networks. Confidential and Proprietary. Source Address Any Destination Address 102.100.88.90 PANOS assigns Source Zone based on interface packet ingress; Assigns Destination Zone based on interface packet would egress from Source Zone Untrust Destination Zone Untrust Source Address Any Destination Address 102.100.88.90 NAT rulebase checked for a matching rule PANOS checks the interface the packet will egress from; Changes Destination Zone if necessary Source Zone Untrust Destination Zone Trust Source Address Any Destination Address 102.100.88.90 Security rulebase checked for a matching rule 1 2 3 4 5 PANOS Zone and IP Address Processing flow
  • 13. 13 | ©2014, Palo Alto Networks. Confidential and Proprietary. Source Address Any Destination Address 102.100.88.90 PANOS assigns Source Zone based on interface packet ingress; Assigns Destination Zone based on interface packet would egress from Source Zone Untrust Destination Zone Untrust Source Address Any Destination Address 102.100.88.90 NAT rulebase checked for a matching rule PANOS checks the interface the packet will egress from; Changes Destination Zone if necessary Source Zone Untrust Destination Zone Trust Source Address Any Destination Address 102.100.88.90 Security rulebase checked for a matching rule Source and/or Destination IP address re-written per NAT rules 1 2 3 4 5 6 PANOS Zone and IP Address Processing flow
  • 14. 14 | ©2014, Palo Alto Networks. Confidential and Proprietary. Source Address Any Destination Address 102.100.88.90 PANOS assigns Source Zone based on interface packet ingress; Assigns Destination Zone based on interface packet would egress from Source Zone Untrust Destination Zone Untrust Source Address Any Destination Address 102.100.88.90 NAT rulebase checked for a matching rule PANOS checks the interface the packet will egress from; Changes Destination Zone if necessary Source Zone Untrust Destination Zone Trust Source Address Any Destination Address 102.100.88.90 Security rulebase checked for a matching rule Source and/or Destination IP address re-written per NAT rules Source Address Any Destination Address 172.16.1.40 1 2 3 4 5 6 7 PANOS Zone and IP Address Processing flow
  • 15. Example 2 15 | ©2014, Palo Alto Networks. Confidential and Proprietary. Security Policy NAT Policy DMZ Internal Internet Untrust zone Trust zone DMZ zone 104.150.226.0/24   172.17.1.39  
  • 16. 16 | ©2014, Palo Alto Networks. Confidential and Proprietary. Source Address Any Destination Address 104.160.226.80 1 PANOS Zone and IP Address Processing flow
  • 17. 17 | ©2014, Palo Alto Networks. Confidential and Proprietary. Source Address Any Destination Address 104.160.226.80 PANOS assigns Source Zone based on interface packet ingress; Assigns Destination Zone based on interface packet would egress from 1 2 PANOS Zone and IP Address Processing flow Source Zone Untrust Destination Zone DMZ Source Address Any Destination Address 104.160.226.80
  • 18. 18 | ©2014, Palo Alto Networks. Confidential and Proprietary. Source Address Any Destination Address 104.160.226.80 PANOS assigns Source Zone based on interface packet ingress; Assigns Destination Zone based on interface packet would egress from Source Zone Untrust Destination Zone DMZ Source Address Any Destination Address 104.160.226.80 NAT rulebase checked for a matching rule PANOS checks the interface the packet will egress from; Changes Destination Zone if necessary 1 2 3 PANOS Zone and IP Address Processing flow
  • 19. 19 | ©2014, Palo Alto Networks. Confidential and Proprietary. Source Address Any Destination Address 104.160.226.80 PANOS assigns Source Zone based on interface packet ingress; Assigns Destination Zone based on interface packet would egress from Source Zone Untrust Destination Zone DMZ Source Address Any Destination Address 104.160.226.80 NAT rulebase checked for a matching rule PANOS checks the interface the packet will egress from; Changes Destination Zone if necessary Source Zone Untrust Destination Zone Trust Source Address Any Destination Address 104.160.226.80 1 2 3 4 PANOS Zone and IP Address Processing flow
  • 20. 20 | ©2014, Palo Alto Networks. Confidential and Proprietary. Source Address Any Destination Address 104.160.226.80 PANOS assigns Source Zone based on interface packet ingress; Assigns Destination Zone based on interface packet would egress from Source Zone Untrust Destination Zone DMZ Source Address Any Destination Address 104.160.226.80 NAT rulebase checked for a matching rule PANOS checks the interface the packet will egress from; Changes Destination Zone if necessary Source Zone Untrust Destination Zone Trust Source Address Any Destination Address 104.160.226.80 Security rulebase checked for a matching rule Source and/or Destination IP address re-written per NAT rules 1 2 3 4 5 6 PANOS Zone and IP Address Processing flow
  • 21. 21 | ©2014, Palo Alto Networks. Confidential and Proprietary. Source Address Any Destination Address 104.160.226.80 PANOS assigns Source Zone based on interface packet ingress; Assigns Destination Zone based on interface packet would egress from Source Zone Untrust Destination Zone DMZ Source Address Any Destination Address 104.160.226.80 NAT rulebase checked for a matching rule PANOS checks the interface the packet will egress from; Changes Destination Zone if necessary Source Zone Untrust Destination Zone Trust Source Address Any Destination Address 104.160.226.80 Security rulebase checked for a matching rule Source and/or Destination IP address re-written per NAT rules 1 2 3 4 5 6 PANOS Zone and IP Address Processing flow
  • 22. 22 | ©2014, Palo Alto Networks. Confidential and Proprietary. Source Address Any Destination Address 104.160.226.80 PANOS assigns Source Zone based on interface packet ingress; Assigns Destination Zone based on interface packet would egress from Source Zone Untrust Destination Zone DMZ Source Address Any Destination Address 104.160.226.80 NAT rulebase checked for a matching rule PANOS checks the interface the packet will egress from; Changes Destination Zone if necessary Source Zone Untrust Destination Zone Trust Source Address Any Destination Address 104.160.226.80 Security rulebase checked for a matching rule Source and/or Destination IP address re-written per NAT rules Source Address Any Destination Address 172.16.1.39 1 2 3 4 5 6 7 PANOS Zone and IP Address Processing flow
  • 23. NAT Policy Logic §  Source and Destination zones on NAT policy are evaluated pre-NAT based on the routing table §  Example 1: if you are translating traffic that is incoming to an internal server (which is reached via a public IP by Internet users), it is necessary to configure the NAT policy using the zone in which the public IP address resides. §  Example 2 :if you are translating traffic that is incoming to an internal server (which is reached via a public IP by Internet users and that public IP is routed to a DMZ zone), it is necessary to configure the NAT policy using the DMZ zone §  Original IP addresses are ALWAYS used with rules, no matter which policy. Why ? Because address translation does not actually happen until the packet egresses the firewall. §  The ONLY zone that may change from the original packet during processing is the Destination Zone.
  • 24. Destination NAT Policy configuration 24 | ©2014, Palo Alto Networks. Confidential and Proprietary. The zone where the source ip coming from ( i.e internet zone ) The zone of the natted IP. To check which zone, execute the below command “show routing route destination <natted ip subnet/ mask>”, then check interface’s zone Original source address Natted IP Real IP
  • 25. Source NAT §  PAN-OS supports the following options for source translation: §  Dynamic-ip-and-port (DIPP) §  Dynamic-ip (DIP) §  Static IP 25 | ©2014, Palo Alto Networks. Confidential and Proprietary.
  • 26. DIP NAT §  In this form of NAT, the original source port number is left intact. Only the source IP address will be translated. §  When using the dynamic-ip type of source NAT, the size of the NAT pool must be equal to the number of the internal hosts that require address translation. If all the IP addresses in the pool are in use, any connections from new hosts cannot be address translated and hence will be dropped. New sessions from hosts with established sessions with NAT will be allowed. 26 | ©2014, Palo Alto Networks. Confidential and Proprietary.
  • 27. DIPP NAT §  For translating both the source IP address AND port numbers, DIPP ( dynamic IP and port ) type of translation must be used §  This form of NAT is also commonly referred to as interface-based NAT or network address port translation ( NAPT ) §  On Cisco routers §  NAT Overload §  Juniper Netscreen §  PAT 27 | ©2014, Palo Alto Networks. Confidential and Proprietary.
  • 28. Translated IPs 28 | ©2014, Palo Alto Networks. Confidential and Proprietary.
  • 29. When do we need oversubscription §  use case 1 §  When you have an “X” number of public IP and need more than “X” x 64511 NAT sessions 29 | ©2014, Palo Alto Networks. Confidential and Proprietary.
  • 30. NAT capacity ( PA3050) 30 | ©2014, Palo Alto Networks. Confidential and Proprietary. Maximum NAT rules combined ( Static, DIP and DIPP ) Maximum Static NAT Maximum DIP NAT Maximum DIPP NAT Maximum DIP IPs Maximum DIPP IPs with oversubscription off ( 1x ) Default oversubscription ( source IP and port being reused 2x, different destination IP ) 800
  • 31. DIPP oversubscription §  Useable # ports : §  65535 – 1024 = 64511 §  Example maximum number of PA3050 NAT DIPP sessions §  Default DIPP oversubscription for PA3050 is 2x §  If you are using 1 public IP and use default DIPP oversubscription 2x §  1 x 64511 x 2 = 129,022 NAT sessions §  Maximum number of NAT sessions for PA3050 when max DIPP (8x) is being used §  ( 800 max translated address / 8 max oversub ) x 8 x 64511 = 51,608,000 NAT sessions §  This is assuming all sessions going to different destinations 31 | ©2014, Palo Alto Networks. Confidential and Proprietary.
  • 32. Example oversub 1x 32 | ©2014, Palo Alto Networks. Confidential and Proprietary.
  • 33. Example oversub 8x 33 | ©2014, Palo Alto Networks. Confidential and Proprietary.
  • 34. NAT CLI Command §  Check DIPP/DIP rule capacity 34 | ©2014, Palo Alto Networks. Confidential and Proprietary.
  • 35. 35 | ©2014, Palo Alto Networks. Confidential and Proprietary.
  • 36. 36 | ©2014, Palo Alto Networks. Confidential and Proprietary.