Palo Alto Nat Flow

Palo Alto Networks
Network Address Translation

For Dummies
Alberto Rivai, CCIE, CISSP
Senior Systems Engineer
ANZ
NAT Example 1 static destination NAT

NAT Policy
Security Policy
2 | 2014, Palo Alto Networks. Confidential and Proprietary.
Example 1
Internet
102.100.88.90
Untrust zone
Trust zone
Internal
172.17.1.40
Example 2
NAT Policy
Security Policy
Example 2
Internet
Untrust zone
DMZ zone
DMZ
Trust zone
104.150.226.0/24
Internal
172.17.1.39
Flow Logic of the Next-Generation Firewall

Initial Packet
Processing
Source Zone/
Address/
User-ID
PBF/
Forwarding
Lookup
Security
Pre-Policy
Check
Allowed
Ports
Session
Created
Application
Check for
Encrypted
Traffic
Decryption
Policy
Security
Policy
Check
Security
Policy
Check
Security
Profiles
Post Policy
Processing
Re-Encrypt
Traffic
NAT Policy
Applied
6 | 2014, Palo Alto Networks. Conden@al and Proprietary
Destination
Zone
NAT Policy
Evaluated
Application
Override
Policy
App-ID
Packet
Forwarded
NAT Example 1 static destination NAT

NAT Policy
Security Policy
PANOS Zone and IP Address Processing flow

Source Address
Any
Destination
Address
102.100.88.90

Source Address
Any
Destination
Address
102.100.88.90
PANOS assigns Source Zone based on interface packet ingress;

Assigns Destination Zone based on interface packet would egress from
Source Zone
Untrust
Destination
Zone
Untrust
Source Address
Any
Destination
Address
102.100.88.90

Source Address
Any
Destination
Address
102.100.88.90

Source Zone
Untrust
Destination
Zone
Untrust
Source Address
Any
NAT rulebase checked for a matching rule
Destination
Address
102.100.88.90

Source Address
Any
Destination
Address
102.100.88.90

Source Zone
Untrust
Destination
Zone
Untrust
Source Address
Any
Destination
Address
102.100.88.90
PANOS checks the interface the packet will egress from;

Changes Destination Zone if necessary
Source Zone
Untrust
Destination
Zone
Trust
Source Address
Any
Destination
Address
102.100.88.90

Source Address
Any
Destination
Address
102.100.88.90

Source Zone
Untrust
Destination
Zone
Untrust
Source Address
Any
Destination
Address
102.100.88.90

Source Zone
Untrust
Destination
Zone
Trust
Source Address
Any
Security rulebase checked for a matching rule
Destination
Address
102.100.88.90

Source Address
Any
Destination
Address
102.100.88.90

Source Zone
Untrust
Destination
Zone
Untrust
Source Address
Any
Destination
Address
102.100.88.90

Source Zone
Untrust
Destination
Zone
Trust
Source Address
Any
Destination
Address
102.100.88.90

Source and/or Destination IP address re-written per NAT rules
5
6

Source Address
Any
Destination
Address
102.100.88.90

Source Zone
Untrust
Destination
Zone
Untrust
Source Address
Any
Destination
Address
102.100.88.90

Source Zone
Untrust
Destination
Zone
Trust
Source Address
Any
Destination
Address
102.100.88.90

Source Address
Any
Destination
Address
172.16.1.40
5
6
7
Example 2
NAT Policy
Security Policy
Internet
Untrust zone
DMZ zone
DMZ
Trust zone
104.150.226.0/24
Internal
172.17.1.39

Source Address
Any
Destination
Address
104.160.226.80

Source Address
Any
Destination
Address
104.160.226.80

Source Zone
Untrust
Destination
Zone
DMZ
Source Address
Any
Destination
Address
104.160.226.80

Source Address
Any
Destination
Address
104.160.226.80

Source Zone
Untrust
Destination
Zone
DMZ
Source Address
Any
Destination
Address
104.160.226.80


Source Address
Any
Destination
Address
104.160.226.80

Source Zone
Untrust
Destination
Zone
DMZ
Source Address
Any
Destination
Address
104.160.226.80

Source Zone
Untrust
Destination
Zone
Trust
Source Address
Any
Destination
Address
104.160.226.80

Source Address
Any
Destination
Address
104.160.226.80

Source Zone
Untrust
Destination
Zone
DMZ
Source Address
Any
Destination
Address
104.160.226.80

Source Zone
Untrust
Destination
Zone
Trust
Source Address
Any
Destination
Address
104.160.226.80

5
6

Source Address
Any
Destination
Address
104.160.226.80

Source Zone
Untrust
Destination
Zone
DMZ
Source Address
Any
Destination
Address
104.160.226.80

Source Zone
Untrust
Destination
Zone
Trust
Source Address
Any
Destination
Address
104.160.226.80

5
6

Source Address
Any
Destination
Address
104.160.226.80

Source Zone
Untrust
Destination
Zone
DMZ
Source Address
Any
Destination
Address
104.160.226.80

Source Zone
Untrust
Destination
Zone
Trust
Source Address
Any
Destination
Address
104.160.226.80

Source Address
Any
Destination
Address
172.16.1.39
5
6
7
NAT Policy Logic

Source and Destination zones on NAT policy are evaluated pre-NAT based
on the routing table
Example 1: if you are translating traffic that is incoming to an internal server (which
is reached via a public IP by Internet users), it is necessary to configure the NAT
policy using the zone in which the public IP address resides.
Example 2 :if you are translating traffic that is incoming to an internal server (which
is reached via a public IP by Internet users and that public IP is routed to a DMZ
zone), it is necessary to configure the NAT policy using the DMZ zone
Original IP addresses are ALWAYS used with rules, no matter which policy.
Why ? Because address translation does not actually happen until the packet
egresses the firewall.
The ONLY zone that may change from the original packet during processing is
the Destination Zone.
Destination NAT Policy configuration
The zone of the natted IP. To

check which zone, execute
the below command
show routing route
destination <natted ip subnet/
mask>, then check interfaces
zone
The zone where the

source ip coming from
( i.e internet zone )
Natted IP
Original source
address
Real IP
Source NAT
PAN-OS supports the following options for source translation:
Dynamic-ip-and-port (DIPP)
Dynamic-ip (DIP)
Static IP
DIP NAT
In this form of NAT, the original source port number is left intact. Only the
source IP address will be translated.
When using the dynamic-ip type of source NAT, the size of the NAT pool must
be equal to the number of the internal hosts that require address translation. If
all the IP addresses in the pool are in use, any connections from new hosts
cannot be address translated and hence will be dropped. New sessions from
hosts with established sessions with NAT will be allowed.
DIPP NAT
For translating both the source IP address AND port numbers, DIPP ( dynamic
IP and port ) type of translation must be used
This form of NAT is also commonly referred to as interface-based NAT or
network address port translation ( NAPT )
On Cisco routers
NAT Overload
Juniper Netscreen
PAT
Translated IPs
When do we need oversubscription

use case 1
When you have an X number of public IP and need more than X x 64511 NAT
sessions
NAT capacity ( PA3050)

Maximum NAT rules
combined ( Static, DIP and
DIPP )
Maximum Static NAT
Maximum DIP NAT
800
Default
oversubscription
( source IP and port
being reused 2x,
different destination
IP )
Maximum DIPP
NAT
Maximum DIP IPs
Maximum DIPP IPs

with oversubscription
off ( 1x )
DIPP oversubscription
Useable # ports :
65535 1024 = 64511
Example maximum number of PA3050 NAT DIPP sessions

Default DIPP oversubscription for PA3050 is 2x
If you are using 1 public IP and use default DIPP oversubscription 2x
1 x 64511 x 2 = 129,022 NAT sessions
Maximum number of NAT sessions for PA3050 when max DIPP (8x) is being used
( 800 max translated address / 8 max oversub ) x 8 x 64511 = 51,608,000 NAT sessions
This is assuming all sessions going to different destinations
Example oversub 1x
Example oversub 8x
NAT CLI Command

Check DIPP/DIP rule capacity

Palo Alto Nat Flow

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Palo Alto Nat Flow

Hochgeladen von

Copyright:

Verfügbare Formate

Palo Alto Networks

Network Address Translation

NAT Example 1 static destination NAT

2 | 2014, Palo Alto Networks. Confidential and Proprietary.

3 | 2014, Palo Alto Networks. Confidential and Proprietary.

4 | 2014, Palo Alto Networks. Confidential and Proprietary.

5 | 2014, Palo Alto Networks. Confidential and Proprietary.

Flow Logic of the Next-Generation Firewall

6 | 2014, Palo Alto Networks. Conden@al and Proprietary

NAT Example 1 static destination NAT

7 | 2014, Palo Alto Networks. Confidential and Proprietary.

PANOS Zone and IP Address Processing flow

8 | 2014, Palo Alto Networks. Confidential and Proprietary.

PANOS Zone and IP Address Processing flow

PANOS assigns Source Zone based on interface packet ingress;

9 | 2014, Palo Alto Networks. Confidential and Proprietary.

PANOS Zone and IP Address Processing flow

PANOS assigns Source Zone based on interface packet ingress;

NAT rulebase checked for a matching rule

10 | 2014, Palo Alto Networks. Confidential and Proprietary.

PANOS Zone and IP Address Processing flow

PANOS assigns Source Zone based on interface packet ingress;

NAT rulebase checked for a matching rule

PANOS checks the interface the packet will egress from;

11 | 2014, Palo Alto Networks. Confidential and Proprietary.

PANOS Zone and IP Address Processing flow

PANOS assigns Source Zone based on interface packet ingress;

NAT rulebase checked for a matching rule

PANOS checks the interface the packet will egress from;

Security rulebase checked for a matching rule

12 | 2014, Palo Alto Networks. Confidential and Proprietary.

PANOS Zone and IP Address Processing flow

PANOS assigns Source Zone based on interface packet ingress;

NAT rulebase checked for a matching rule

PANOS checks the interface the packet will egress from;

Security rulebase checked for a matching rule

13 | 2014, Palo Alto Networks. Confidential and Proprietary.

PANOS Zone and IP Address Processing flow

PANOS assigns Source Zone based on interface packet ingress;

NAT rulebase checked for a matching rule

PANOS checks the interface the packet will egress from;

Security rulebase checked for a matching rule

14 | 2014, Palo Alto Networks. Confidential and Proprietary.

15 | 2014, Palo Alto Networks. Confidential and Proprietary.

PANOS Zone and IP Address Processing flow

16 | 2014, Palo Alto Networks. Confidential and Proprietary.

PANOS Zone and IP Address Processing flow

PANOS assigns Source Zone based on interface packet ingress;

17 | 2014, Palo Alto Networks. Confidential and Proprietary.

PANOS Zone and IP Address Processing flow

PANOS assigns Source Zone based on interface packet ingress;

NAT rulebase checked for a matching rule

18 | 2014, Palo Alto Networks. Confidential and Proprietary.

PANOS Zone and IP Address Processing flow

PANOS assigns Source Zone based on interface packet ingress;

NAT rulebase checked for a matching rule

PANOS checks the interface the packet will egress from;

19 | 2014, Palo Alto Networks. Confidential and Proprietary.

PANOS Zone and IP Address Processing flow

PANOS assigns Source Zone based on interface packet ingress;

NAT rulebase checked for a matching rule

PANOS checks the interface the packet will egress from;

Security rulebase checked for a matching rule

20 | 2014, Palo Alto Networks. Confidential and Proprietary.