Palo alto networks NAT flow logic

Palo Alto Networks Network Address Translation

For Dummies

Alberto Rivai, CCIE, CISSP

Senior Systems Engineer

ANZ

NAT Example 1 static destination NAT

2 | ©2014, Palo Alto Networks. Confidential and Proprietary.

NAT Policy

Security Policy


Example 1


Internal

Internet

Untrust zone

Trust zone

172.17.1.40

102.100.88.90

Example 2


Security Policy

NAT Policy

Example 2


DMZ

Internal

Internet

Untrust zone

Trust zone

DMZ zone

104.150.226.0/24

172.17.1.39

Flow Logic of the Next-Generation Firewall

Initial Packet Processing

Source Zone/ Address/ User-ID

PBF/ Forwarding

Lookup Destination

Zone NAT Policy Evaluated

Security Pre-Policy

Check Allowed

Ports Session Created

Application Check for Encrypted

Traffic Decryption

Policy Application Override

Policy App-ID

Security Policy

Check Security Policy

Check Security Profiles

Post Policy Processing

Re-Encrypt Traffic

NAT Policy Applied

Packet Forwarded

6 | ©2014, Palo Alto Networks. Confiden@al and Proprietary

NAT Example 1 static destination NAT


NAT Policy

Security Policy


Source Address Any

Destination Address

102.100.88.90 1

PANOS Zone and IP Address Processing flow


Source Address Any

Destination Address

102.100.88.90

PANOS assigns Source Zone based on interface packet ingress; Assigns Destination Zone based on interface packet would egress from

Source Zone Untrust

Destination

Zone Untrust

Source Address Any

Destination Address

102.100.88.90

1

2



Source Address Any

Destination Address

102.100.88.90


Source Zone Untrust

Destination

Zone Untrust

Source Address Any

Destination Address

102.100.88.90

NAT rulebase checked for a matching rule

1

2

3



Source Address Any

Destination Address

102.100.88.90


Source Zone Untrust

Destination

Zone Untrust

Source Address Any

Destination Address

102.100.88.90


PANOS checks the interface the packet will egress from; Changes Destination Zone if necessary

Source Zone Untrust

Destination

Zone Trust

Source Address Any

Destination Address

102.100.88.90

1

2

3

4



Source Address Any

Destination Address

102.100.88.90


Source Zone Untrust

Destination

Zone Untrust

Source Address Any

Destination Address

102.100.88.90



Source Zone Untrust

Destination

Zone Trust

Source Address Any

Destination Address

102.100.88.90

Security rulebase checked for a matching rule

1

2

3

4

5



Source Address Any

Destination Address

102.100.88.90


Source Zone Untrust

Destination

Zone Untrust

Source Address Any

Destination Address

102.100.88.90



Source Zone Untrust

Destination

Zone Trust

Source Address Any

Destination Address

102.100.88.90


Source and/or Destination IP address re-written per NAT rules

1

2

3

4

5

6



Source Address Any

Destination Address

102.100.88.90


Source Zone Untrust

Destination

Zone Untrust

Source Address Any

Destination Address

102.100.88.90



Source Zone Untrust

Destination

Zone Trust

Source Address Any

Destination Address

102.100.88.90



Source Address Any

Destination Address

172.16.1.40

1

2

3

4

5

6

7


Example 2


Security Policy

NAT Policy

DMZ

Internal

Internet

Untrust zone

Trust zone DMZ zone

104.150.226.0/24

172.17.1.39


Source Address Any

Destination Address

104.160.226.80 1



Source Address Any

Destination Address

104.160.226.80


1

2


Source Zone Untrust

Destination

Zone DMZ

Source Address Any

Destination Address

104.160.226.80


Source Address Any

Destination Address

104.160.226.80


Source Zone Untrust

Destination

Zone DMZ

Source Address Any

Destination Address

104.160.226.80



1

2

3



Source Address Any

Destination Address

104.160.226.80


Source Zone Untrust

Destination

Zone DMZ

Source Address Any

Destination Address

104.160.226.80



Source Zone Untrust

Destination

Zone Trust

Source Address Any

Destination Address

104.160.226.80

1

2

3

4



Source Address Any

Destination Address

104.160.226.80


Source Zone Untrust

Destination

Zone DMZ

Source Address Any

Destination Address

104.160.226.80



Source Zone Untrust

Destination

Zone Trust

Source Address Any

Destination Address

104.160.226.80



1

2

3

4

5

6



Source Address Any

Destination Address

104.160.226.80


Source Zone Untrust

Destination

Zone DMZ

Source Address Any

Destination Address

104.160.226.80



Source Zone Untrust

Destination

Zone Trust

Source Address Any

Destination Address

104.160.226.80



Source Address Any

Destination Address

172.16.1.39

1

2

3

4

5

6

7


NAT Policy Logic

§  Source and Destination zones on NAT policy are evaluated pre-NAT based on the routing table §  Example 1: if you are translating traffic that is incoming to an internal server (which

is reached via a public IP by Internet users), it is necessary to configure the NAT policy using the zone in which the public IP address resides.

§  Example 2 :if you are translating traffic that is incoming to an internal server (which is reached via a public IP by Internet users and that public IP is routed to a DMZ zone), it is necessary to configure the NAT policy using the DMZ zone

§  Original IP addresses are ALWAYS used with rules, no matter which policy. Why ? Because address translation does not actually happen until the packet egresses the firewall.

§  The ONLY zone that may change from the original packet during processing is the Destination Zone.

Destination NAT Policy configuration


The zone where the source ip coming from

( i.e internet zone )

The zone of the natted IP. To check which zone, execute

the below command “show routing route

destination <natted ip subnet/mask>”, then check interface’s

zone

Original source address

Natted IP

Real IP

Source NAT

§  PAN-OS supports the following options for source translation: §  Dynamic-ip-and-port (DIPP) §  Dynamic-ip (DIP) §  Static IP


DIP NAT

§  In this form of NAT, the original source port number is left intact. Only the source IP address will be translated.

§  When using the dynamic-ip type of source NAT, the size of the NAT pool must be equal to the number of the internal hosts that require address translation. If all the IP addresses in the pool are in use, any connections from new hosts cannot be address translated and hence will be dropped. New sessions from hosts with established sessions with NAT will be allowed.


DIPP NAT

§  For translating both the source IP address AND port numbers, DIPP ( dynamic IP and port ) type of translation must be used

§  This form of NAT is also commonly referred to as interface-based NAT or network address port translation ( NAPT )

§  On Cisco routers §  NAT Overload

§  Juniper Netscreen §  PAT


Translated IPs


When do we need oversubscription

§  use case 1 §  When you have an “X” number of public IP and need more than “X” x 64511 NAT

sessions


NAT capacity ( PA3050)


Maximum NAT rules combined ( Static, DIP and

DIPP ) Maximum Static NAT

Maximum DIP NAT

Maximum DIPP NAT Maximum DIP IPs Maximum DIPP IPs

with oversubscription off ( 1x )

Default oversubscription

( source IP and port being reused 2x,

different destination IP )

800

DIPP oversubscription

§  Useable # ports : §  65535 – 1024 = 64511

§  Example maximum number of PA3050 NAT DIPP sessions §  Default DIPP oversubscription for PA3050 is 2x §  If you are using 1 public IP and use default DIPP oversubscription 2x

§  1 x 64511 x 2 = 129,022 NAT sessions §  Maximum number of NAT sessions for PA3050 when max DIPP (8x) is being used

§  ( 800 max translated address / 8 max oversub ) x 8 x 64511 = 51,608,000 NAT sessions §  This is assuming all sessions going to different destinations


Example oversub 1x


Example oversub 8x


NAT CLI Command

§  Check DIPP/DIP rule capacity


Palo alto networks NAT flow logic

Technology

Transcript of Palo alto networks NAT flow logic