Palo Alto Firewall: NAT (Network Address Translation)

Understanding Network Address Translation (NAT) on Palo Alto Networks firewalls starts with a grasp of its core concepts. Below are the essential NAT types and their functions within your network:

• Source NAT (SNAT): Translates the source IP address of outbound traffic, typically changing it to the firewall’s external interface IP. This allows multiple internal devices to access external networks using a single public IP.
• Destination NAT (DNAT): Alters the destination IP address of inbound traffic, directing it to the correct internal resource. Commonly used to publish internal servers to the outside world.
• Static NAT: Provides a fixed one-to-one mapping between internal and external addresses, ensuring a consistent translation for specific hosts or services.
• Dynamic NAT / PAT (Port Address Translation): Maps multiple internal addresses to one or more external addresses, often using port numbers to differentiate sessions. This is also known as "NAT overload."
• U-Turn NAT: Allows internal users to access internal resources using the external IP address, enabling hairpinning scenarios where traffic leaves and re-enters the firewall.

Understanding the order in which Palo Alto firewalls process NAT rules is crucial for effective network design and troubleshooting. The firewall evaluates NAT rules and applies address translation in a specific sequence to ensure correct packet handling and security enforcement.

1. Packet Ingress: The packet arrives at the firewall's ingress interface. The firewall determines the source zone based on this interface.
2. Route Lookup: The firewall performs a route lookup to determine the egress interface and the destination zone for the packet. This step is essential for identifying which NAT rules may apply to the traffic.
3. NAT Rule Evaluation: NAT rules are evaluated from the top of the rule list to the bottom. The first rule that matches the packet’s criteria (source/destination zone, address, service) is selected, and no further NAT rules are checked. Specific rules (like static NAT) should be placed above more general rules to ensure correct matching.
   Note: The translation itself does not occur at this stage—only rule matching.
4. Security Policy Lookup: The firewall checks security policies using the original (pre-NAT) source and destination addresses but the post-NAT zones (as determined by the egress interface). This ensures that security rules are enforced correctly before any address translation is applied.
5. Address Translation (NAT Applied): When the packet is ready to egress, the firewall applies the NAT translation as defined by the matched rule. The source and/or destination IP address and port may be rewritten at this stage.
6. Packet Egress: The translated packet is forwarded out of the firewall toward its destination.

Key Points:

• NAT rules are processed in order, top-down; only the first match is used.
• Security policies use pre-NAT addresses but post-NAT zones.
• The actual address translation happens only as the packet leaves the firewall.
• Proper rule order is critical—place specific NAT rules above general ones.

Effective troubleshooting of NAT issues on Palo Alto Networks firewalls involves a systematic approach. Below are key steps and tools to help identify and resolve common NAT problems:

1. Verify NAT Rule Configuration:
   • Ensure the NAT rules are correctly defined, with accurate source/destination zones, addresses, and services.
   • Check rule order—more specific rules should be above general ones, as the firewall uses the first match.
2. Check Policy Hit Counts:
   • Monitor the hit count of NAT rules to confirm if traffic is matching the intended rule.
   • Use the web interface or CLI command: show running nat-policy to see active rules and their hit counts.
3. Analyze Traffic Logs:
   • Review traffic logs for NAT-related fields such as pre/post-NAT source/destination addresses.
   • Look for signs of incomplete sessions or denied traffic, which may indicate NAT or security policy mismatches.
4. Use Packet Capture:
   • Perform packet captures at different stages (pre-NAT, post-NAT, drop) to trace how the firewall is handling packets.
   • Replicate the issue while capturing to ensure relevant packets are recorded.
5. Test NAT Policy Matching:
   • Utilize the CLI to simulate traffic and check which NAT rule would be applied using:
     test nat-policy-match source <src-ip> destination <dst-ip> destination-port <port> protocol <protocol>
6. Validate Routing and Security Policies:
   • Ensure routes exist for translated addresses and that security policies permit the traffic post-NAT.
   • Remember: security policies use pre-NAT addresses but post-NAT zones.
7. Check for Common Issues:
   • Missing or incorrect routes for NAT’d subnets.
   • ARP or Proxy ARP misconfigurations for static NAT.
   • Overlapping NAT rules or address conflicts.
   • Session or application-specific issues (e.g., SIP, RTP, or asymmetric routing).

Useful CLI Commands for NAT Troubleshooting:

• show running nat-policy – View current NAT rules and hit counts.
• test nat-policy-match source <src-ip> destination <dst-ip> destination-port <port> protocol <protocol> – Simulate NAT rule matching.
• show session all filter nat-rule <rule-name> – Display sessions matching a specific NAT rule.
• show log traffic – Review traffic logs for NAT translation details.
• show arp all – Check ARP entries, useful for static NAT troubleshooting.

Tips:

• Always replicate the issue during troubleshooting to capture relevant data.
• Use both the GUI and CLI for comprehensive analysis.
• Document changes and findings for future reference.

Mastering key CLI commands can greatly enhance your ability to configure, monitor, and troubleshoot NAT on Palo Alto Networks firewalls. Below are some of the most useful commands, along with brief descriptions of what each does:

• Show Current NAT Policy:
  show running nat-policy
  Displays all currently configured NAT rules and their details.
• Test NAT Policy Match:
  test nat-policy-match source <src-ip> destination <dst-ip> destination-port <port> protocol <protocol>
  Simulates traffic to determine which NAT rule would be applied to the specified source and destination parameters.
• Show NAT Pool Utilization:
  show running ippool
show running global-ippool
  Displays usage statistics for NAT address pools, helping you monitor pool exhaustion or overutilization.
• Show Sessions Filtered by NAT Rule:
  show session all filter nat-rule <rule-name>
  Lists all active sessions that are matching a specific NAT rule, useful for real-time troubleshooting.
• View Traffic Logs:
  show log traffic
  Reviews traffic log entries, including NAT translation details for each session.
• Check ARP Table (for Static NAT Issues):
  show arp all
  Displays ARP entries, which can help diagnose issues with static NAT or Proxy ARP.

Tips:

• Use these commands in both troubleshooting and routine monitoring scenarios.
• Combine show and test commands for a comprehensive view of NAT behavior and policy matching.
• Always replace placeholder values (e.g., <src-ip>, <dst-ip>) with actual IP addresses and ports relevant to your environment.

Below is a step-by-step example of creating a NAT rule using the Palo Alto Networks firewall GUI. This example demonstrates how to configure a Source NAT (SNAT) rule that enables internal users to access the internet by translating their private IP addresses to the firewall’s public IP.

1. Navigate to NAT Policy:
   • In the Palo Alto GUI, go to Policies → NAT.
   • Click Add to create a new NAT rule.
2. Configure the Original Packet:
   • Source Zone: Trust (internal network)
   • Destination Zone: Untrust (external network)
   • Source Address: 10.1.1.0/24 (internal subnet)
   • Destination Address: any
   • Service: any
3. Configure the Translated Packet:
   • Source Translation: Dynamic IP and Port (DIPP)
   • Translated Address: Interface Address (e.g., the IP of the Untrust interface)
4. Review and Commit:
   • Review the rule settings for accuracy.
   • Click OK to save the rule.
   • Commit the configuration to apply changes.

Example NAT Rule Table:

Tips:

• Place more specific NAT rules above general rules, as the firewall processes NAT rules top-down and stops at the first match.
• Use address objects for reusability and easier management.
• Always verify NAT rule hit counts and test connectivity after committing changes.