I just spent a week in Texas for the PAN CSL training and had the pleasure of having Mark teach the first two days. Mark was fantastic and I learned a lot. This is a great video. It will really help you understand how NAT works in the Palo world.
I'm going to add my two cents and say that this video is very helpful in understanding NAT/Security policy configurations. Searching TH-cam for instructional videos on PA can be frustrating due to quality of videos and language/accent. So I enjoyed the clarity of the speaker and his overall knowledge of the subject. Thank you Mark!
was searching for video to understand D-NAT, Finally landed and found this video, Great detailed tutorial.. Thank you so much for such a awesome job. 10/10 ratings.
Great video, cleared up all of my confusion. I only wish the official training was like this, instead of (mostly) a robotic voice sloooowly reading from slides. Thanks!
Damn!! This video was on point especially the section before describing the lazy function of the bi-directional check box. I loved the explanation of explaining the subtleties of a NAT policy versus a Security Policy. I was actually doing this subliminally with regards to routing internal to the public/global address of my DMZ firewalls, but this video helped a YUGE TONNE, LIKE YOU COULDN'T IMAGINE!!! Thank you Firewall Master Mark!!! #PaloAltoNetworks
Awesome video...very very helpful.just to add a point if default intrazone policy has a clean up rule on top of it(few customers do insist for this)then we also have to create a rule for untrust to untrust in order to allow this.
Thanks much, Mark, for this simple direct explanation. I understand how the Palo Alto works, but I could never explain it in any way that made sense to someone else. One question: how are you able to get traffic from the internal zone to bypass NAT rule #1, which watches for any destination traffic, and process on NAT rule #3 ("Server 1 from Inside" - Internal > Internet > translated DMZ zone)?
Hello, In minute 9:07 ; with this nat policy if a client from 10.1.1.0/24 tries to access the 66.1.1.2 server then the destination NAT in line 2 will not be applied, right ? the access will then fail , am I wrong ?
Hi Karim, thanks for your comment. You are correct, for that scenario, the second NAT rule needs to be above the first one as else the packet will be source translated only (only one NAT policy can be applied at a time)
We're happy this video has helped so many. Thank you for the kudos! Also check out the Live Community at live.paloaltonetworks.com for more info -- feel free to post your questions there, too!
Thank you for the video very useful. One question though. Do you need to create NAT rules when you apply the Policy rule between inside subnet (trusted Zones)? Or this not necessary. In my understanding, No NAT need. Since all, I need to allow/Deny traffic from one zone to another just want to double-check.
Hi Mark, Thanks for the great stuff. My query is for the Rule-3, when we wanna try to access the server using it's Public IP. This is called as U-turn NAT and we may have to do Source NAT to the interface to the destination to avoid Asymmetric routing. Please assist.
I am running ios 9.1.4 and not able to get the static nat from outside to inside to reach an internal server to work when using the example here. The only way I got it to work was to use on the nat statement ; source zone:outside --- destination zone:inside
Hi this tutorial is good but at 8:03 you are actually configuring U-TurnNAT Rule in which source should be translated in Rule3 - "Server-1 from Inside". For example in your same channel one video is there with name "How to configure U-TURN NAT". can you explain the same.
True U-turn only applies if the client and server exist in the same subnet/zone For 'soft' U-turn where both client and server are internal but in different zones, a NAT rule only needs to perform destination NAT for the client source to the untrust zone without source NAT
I've a doubt... How is it possible to create "ONE to ONE NAT" twice using the same PUBLIC IP to forward all 0 to 65535 ports??. You have configured two bidirectional NAT using the same public IP. To my mind it's possible only if we use "specific port forwarding". Correct me if I'm wrong.
We're happy this video has helped you. Make sure to subscribe to the channel for new and updated videos. Also check out the Live Community at live.paloaltonetworks.com for more info -- feel free to post your questions there, too!
What is the benefit to adding the destination address of the public ip on your dmz server for the nat policy vice adding your dmz ip and just going from private to dmz vs private to public to dmz which is what you're doing? Is there any benefit to doing it the way you did verses what I'm saying can be done? Or is what I'm saying not possible on these devices or is one way considered bad practice/best practice; why?
Hi Matt! You may want to review the first few minutes of the video: the destination IP of the server in the DMZ is a public IP, this means the routing table will place it in the 'outside' zone pre-NAT. So your NAT policy will reflect inside to outside for the NAT action, but your final destination is the DMZ so your security policy will reflect inside to DMZ. If you can control the IP the inside client connects to by using two different DNS records for the server's hostname for example, you would not need NAT for connections from inside to DMZ as the inside clients would be able to resolve the private IP
I just spent a week in Texas for the PAN CSL training and had the pleasure of having Mark teach the first two days. Mark was fantastic and I learned a lot. This is a great video. It will really help you understand how NAT works in the Palo world.
Hats off for such a beautiful and simple explanation Mark
I'm going to add my two cents and say that this video is very helpful in understanding NAT/Security policy configurations. Searching TH-cam for instructional videos on PA can be frustrating due to quality of videos and language/accent. So I enjoyed the clarity of the speaker and his overall knowledge of the subject. Thank you Mark!
was searching for video to understand D-NAT, Finally landed and found this video, Great detailed tutorial.. Thank you so much for such a awesome job. 10/10 ratings.
This is by far the best explanation of the most dreaded concept i.e. NAT
The best explanation of this that I’ve ever seen. Thank you
Great video, cleared up all of my confusion. I only wish the official training was like this, instead of (mostly) a robotic voice sloooowly reading from slides. Thanks!
Thank you, Mark. Now I have a clear picture of how the NAT and security policy works.
Super helpful. Prior to watching the video I was seriously confused
We do our best! Please do let us know if there's any other topics that could be helpful in clearing any confusion.
Well Explained Mark Bowling. The checklist way of configuration one step after the other. Perfect one. Thank you.
Thanks for your comment! We're glad you found the video helpful!
Damn!! This video was on point especially the section before describing the lazy function of the bi-directional check box. I loved the explanation of explaining the subtleties of a NAT policy versus a Security Policy. I was actually doing this subliminally with regards to routing internal to the public/global address of my DMZ firewalls, but this video helped a YUGE TONNE, LIKE YOU COULDN'T IMAGINE!!! Thank you Firewall Master Mark!!! #PaloAltoNetworks
really what i was looking for. i was a bit confused on how things works in PA devices. thanks a lot man :)
hi
Very easy to understand the way it's explained here Thanks much
Perfect u-turn explanation, and more. great video!
Awesome video...very very helpful.just to add a point if default intrazone policy has a clean up rule on top of it(few customers do insist for this)then we also have to create a rule for untrust to untrust in order to allow this.
Splendid!!! best ever lecture.
awesome video clear my all doubts.
Thanks much, Mark, for this simple direct explanation. I understand how the Palo Alto works, but I could never explain it in any way that made sense to someone else. One question: how are you able to get traffic from the internal zone to bypass NAT rule #1, which watches for any destination traffic, and process on NAT rule #3 ("Server 1 from Inside" - Internal > Internet > translated DMZ zone)?
Mark you're a beast. Thanks for your video!
Uncomplicated with mastery!😎
Great video... He give a very clear understanding.
in 11:16 result. it should be unchecked bi-dir translation in rule 1 if i put rule 2 bi-dir?
Hello, In minute 9:07 ; with this nat policy if a client from 10.1.1.0/24 tries to access the 66.1.1.2 server then the destination NAT in line 2 will not be applied, right ? the access will then fail , am I wrong ?
Hi Karim, thanks for your comment. You are correct, for that scenario, the second NAT rule needs to be above the first one as else the packet will be source translated only (only one NAT policy can be applied at a time)
We're happy this video has helped so many. Thank you for the kudos! Also check out the Live Community at live.paloaltonetworks.com for more info -- feel free to post your questions there, too!
Great video, Mark. Thanks!!
At 5:06, why wouldn't the destination zone be DMZ?
Great Explanation !
Wow really superb
Thank you for the video very useful. One question though. Do you need to create NAT rules when you apply the Policy rule between inside subnet (trusted Zones)? Or this not necessary. In my understanding, No NAT need. Since all, I need to allow/Deny traffic from one zone to another just want to double-check.
Hi, if your inside subnets are routable to each other then NAT is likely not needed.
@@PaloAltoNetworksLiveCommunity Thanks
thanks dear sir for uploading your training videos
Hi Mark, Thanks for the great stuff. My query is for the Rule-3, when we wanna try to access the server using it's Public IP. This is called as U-turn NAT and we may have to do Source NAT to the interface to the destination to avoid Asymmetric routing. Please assist.
Hi Srinivasan, please check out the U-turn video : th-cam.com/video/Bdbn1pbe74o/w-d-xo.html
I am running ios 9.1.4 and not able to get the static nat from outside to inside to reach an internal server to work when using the example here. The only way I got it to work was to use on the nat statement ; source zone:outside --- destination zone:inside
Good explanation and thanks.
Hi this tutorial is good but at 8:03 you are actually configuring U-TurnNAT Rule in which source should be translated in Rule3 - "Server-1 from Inside". For example in your same channel one video is there with name "How to configure U-TURN NAT". can you explain the same.
True U-turn only applies if the client and server exist in the same subnet/zone
For 'soft' U-turn where both client and server are internal but in different zones, a NAT rule only needs to perform destination NAT for the client source to the untrust zone without source NAT
@@PANgurus Thanks for your reply
I've a doubt... How is it possible to create "ONE to ONE NAT" twice using the same PUBLIC IP to forward all 0 to 65535 ports??. You have configured two bidirectional NAT using the same public IP. To my mind it's possible only if we use "specific port forwarding". Correct me if I'm wrong.
Excellent explanation !!
4:30 Nat outside to inside
New commer to PA technology and holy, NAT is one of the most mindfuck feature, but this video helps a lot to understand it!
We're happy this video has helped you. Make sure to subscribe to the channel for new and updated videos. Also check out the Live Community at live.paloaltonetworks.com for more info -- feel free to post your questions there, too!
Thx Sir, plain as Glass now this topic is :)
What is the benefit to adding the destination address of the public ip on your dmz server for the nat policy vice adding your dmz ip and just going from private to dmz vs private to public to dmz which is what you're doing? Is there any benefit to doing it the way you did verses what I'm saying can be done? Or is what I'm saying not possible on these devices or is one way considered bad practice/best practice; why?
Hi Matt! You may want to review the first few minutes of the video: the destination IP of the server in the DMZ is a public IP, this means the routing table will place it in the 'outside' zone pre-NAT. So your NAT policy will reflect inside to outside for the NAT action, but your final destination is the DMZ so your security policy will reflect inside to DMZ. If you can control the IP the inside client connects to by using two different DNS records for the server's hostname for example, you would not need NAT for connections from inside to DMZ as the inside clients would be able to resolve the private IP
Great video
Nice video
Thanks for the positive feedback!
Awesome...
Thanks very much
good explanation but he is going too fast. best split in two videos in my opinion because even plane NAT is confusing.
Thank you, we appreciate your feedback!
Yes , i watched in .75x speed to understand
Amazing explanation!!
Excellent explanation !!
Glad you liked it!
Be sure to check out the LIVEcommunity for more great information: live.paloaltonetworks.com