Creating NAT Policies

Giving a Server Public Access

Overview and Processing Order

NAT Policies allow the firewall to translate IP addresses from one address to another. There are many different ways to configure NAT policies, but this guide will go over the most common.

Note that you must use a public address from a range given to you by your delivery team. Implementing public addressing on the firewall that was not assigned to you will not work. If you have questions about what public addressing you have available, or would like to request more, contact your delivery team (if your project is still in Delivery), or the OSC.

Processing order as it relates to NATs and Security Policies is as follows:

• Traffic enters firewall
• NAT Policy lookup: If there is a matching policy look up the security-zone of the translated address
• Security Policy lookup: While the source remains as listed on the traffic headers, the destination match conditions are:
  • Destination Address: Pre-NAT (original) address
  • Destination Zone: Post-NAT (translated) address’ zone
• If permitted, allow traffic by Security Policy
• Perform NAT

Case Study: Allow Traffic from the Internet to a Web Server

This is the most common situation for utilizing a NAT. You want to allow customers to access a web server from the internet and also give this server a unique public address when it is initiating traffic. You want to make sure this server has a unique public address both for inbound communications (so that you may create public DNS for it), but also for when it initiates outbound traffic so that you can log this traffic uniquely, separate from the default NAT address that the firewall uses.

Creating the NAT Policy

1. Go to Policies NAT and click the “+ Add” button at the bottom.
2. General Tab: Give it a name and a description that makes sense to its purpose.
3. Original Packet:
   1. Source Zone = Customer-Private (this may be different if you have set up some extra custom zones outside of what your delivery team has configured)
   2. Destination Zone = untrust (this may be different for the same reason as above)
   3. Source Address = The private address of the server
   4. Destination Address = Leave as “any”
4. Translated Packet:
   1. Translation Type = Static IP
   2. Translated Address = The public address of the server
   3. Bi-Directional = Yes. By default a Palo Alto NAT is unidirectional. This option enables the NAT to work in both directions.
   4. Destination Translation = Leave as “none”
5. Click OK. Once the policy is created you will see it appear in the list of NAT Policies. Note that the firewall evaluates NAT policies in top-down order, stopping at the first which matches the traffic. So, it is a good idea to put your policy before the DefaultNAT policy, otherwise, your traffic will not match your custom policy in the outbound direction.

Creating the Security Policy

1. Go to Policies Security and click the “+ Add” button at the bottom. It is a good idea to create two policies, one for the inbound direction and another for the outbound direction
2. General Tab: Give it a name and a description that makes sense to its purpose. Leave the rule type as universal.
3. Source Tab:
   1. Source Zone = Untrust (or matching the zone from 4b above)
   2. Source Address = any (unless you’re restricting specific public Ips from accessing this server)
   3. Source User & Source Device = any.
4. Destination Tab:
   1. Destination Zone = Customer-Private (or matching the zone from 4a above)
   2. Destination Address = The server’s public address (matching 5b from above)
   3. Application/Services: These tie into each other.
      1. Differences: Applications are “smart” and rely on the firewall to recognize signatures and behavior patterns. Services are simply tcp/udp and a destination and/or source port number.
      2. Tie-ins:
         1. If you use one or more applications, then the services should be set to “application-default”.
         2. If you are allowing all applications (not recommended), then services should be set to “any”.
         3. If you are relying on Services (tcp/udp and port number), then applications should be set to “any”
      3. For our use-case of a web server, there are two options:
         1. Option 1:
            1. Application = ssl, web-browsing
            2. Services = application-default
         2. Option 2:
            1. Application = any
            2. Services = service-http, service-https
   4. Action Tab:
      1. Action = Allow
      2. Log Setting = Log at Session End is recommended

Viewing Counters

Now that the NAT and Security policies are created, once there is pertinent traffic, you’ll see the counters next to the NAT Policy and Security Policy start to increase.