Palo Alto Security Policy and NAT Policy
1. Security Policy use translated IP and real zone.
for example, allowing access from Internet to DMZ server 10.10.10.10 (NATed IP 203.0.22.10)
Security Policy:
source zone: Untrust
destination zone: DMZ
source IP: Any
destination IP: 203.0.22.10
2. Destination NAT use zone of pubic IP.
for example, accessing public IP 203.0.22.10 on port 80 is NATed to DMZ IP 10.10.10.10 on port 80
DNAT policy:
source zone: Untrust
destination zone: Untrust
Original destination address: 203.0.22.10
Translated destination address: 10.10.10.10
3. Secure policy for connection terminates on FW use destination untrusted
Security Policy:
source zone: Untrust
destination zone: Untrust
source IP: Any
destination IP: FW public IP
Destination NAT doesn't apply for traffic initiate from server
Source NAT with bi-directional enabled means an invisible DNAT is created.
DIPP NAT Oversubscription
Dynamic IP address Support for Destination NAT ---- LB???
Comments
Post a Comment