Tutorial: Understanding the NAT/Security Policy Configuration

I just spent a week in Texas for the PAN CSL training and had the pleasure of having Mark teach the first two days. Mark was fantastic and I learned a lot. This is a great video. It will really help you understand how NAT works in the Palo world.

I'm going to add my two cents and say that this video is very helpful in understanding NAT/Security policy configurations. Searching TH-cam for instructional videos on PA can be frustrating due to quality of videos and language/accent. So I enjoyed the clarity of the speaker and his overall knowledge of the subject. Thank you Mark!

was searching for video to understand D-NAT, Finally landed and found this video, Great detailed tutorial.. Thank you so much for such a awesome job. 10/10 ratings.

The best explanation of this that I’ve ever seen. Thank you

Super helpful. Prior to watching the video I was seriously confused

Well Explained Mark Bowling. The checklist way of configuration one step after the other. Perfect one. Thank you.

really what i was looking for. i was a bit confused on how things works in PA devices. thanks a lot man :)

Perfect u-turn explanation, and more. great video!

Very easy to understand the way it's explained here Thanks much

Awesome video...very very helpful.just to add a point if default intrazone policy has a clean up rule on top of it(few customers do insist for this)then we also have to create a rule for untrust to untrust in order to allow this.

Damn!! This video was on point especially the section before describing the lazy function of the bi-directional check box. I loved the explanation of explaining the subtleties of a NAT policy versus a Security Policy. I was actually doing this subliminally with regards to routing internal to the public/global address of my DMZ firewalls, but this video helped a YUGE TONNE, LIKE YOU COULDN'T IMAGINE!!! Thank you Firewall Master Mark!!! #PaloAltoNetworks

Great video... He give a very clear understanding.

Amazing explanation!!

Great video, Mark. Thanks!!

Awesome...

Hello, In minute 9:07 ; with this nat policy if a client from 10.1.1.0/24 tries to access the 66.1.1.2 server then the destination NAT in line 2 will not be applied, right ? the access will then fail , am I wrong ?

Thx Sir, plain as Glass now this topic is :)

Thank you for the video very useful. One question though. Do you need to create NAT rules when you apply the Policy rule between inside subnet (trusted Zones)? Or this not necessary. In my understanding, No NAT need. Since all, I need to allow/Deny traffic from one zone to another just want to double-check.

good explanation but he is going too fast. best split in two videos in my opinion because even plane NAT is confusing.

Great video, cleared up all of my confusion. I only wish the official training was like this, instead of (mostly) a robotic voice sloooowly reading from slides. Thanks!

We're happy this video has helped so many. Thank you for the kudos! Also check out the Live Community at live.paloaltonetworks.com for more info -- feel free to post your questions there, too!

This is by far the best explanation of the most dreaded concept i.e. NAT

Hats off for such a beautiful and simple explanation Mark

Uncomplicated with mastery!😎

Thanks much, Mark, for this simple direct explanation. I understand how the Palo Alto works, but I could never explain it in any way that made sense to someone else. One question: how are you able to get traffic from the internal zone to bypass NAT rule #1, which watches for any destination traffic, and process on NAT rule #3 ("Server 1 from Inside" - Internal > Internet > translated DMZ zone)?

Thank you, Mark. Now I have a clear picture of how the NAT and security policy works.

awesome video clear my all doubts.

Hi Mark, Thanks for the great stuff. My query is for the Rule-3, when we wanna try to access the server using it's Public IP. This is called as U-turn NAT and we may have to do Source NAT to the interface to the destination to avoid Asymmetric routing. Please assist.

Splendid!!! best ever lecture.

New commer to PA technology and holy, NAT is one of the most mindfuck feature, but this video helps a lot to understand it!

Wow really superb

4:30 Nat outside to inside

I've a doubt... How is it possible to create "ONE to ONE NAT" twice using the same PUBLIC IP to forward all 0 to 65535 ports??. You have configured two bidirectional NAT using the same public IP. To my mind it's possible only if we use "specific port forwarding". Correct me if I'm wrong.

I am running ios 9.1.4 and not able to get the static nat from outside to inside to reach an internal server to work when using the example here. The only way I got it to work was to use on the nat statement ; source zone:outside --- destination zone:inside

in 11:16 result. it should be unchecked bi-dir translation in rule 1 if i put rule 2 bi-dir?

At 5:06, why wouldn't the destination zone be DMZ?

Excellent explanation !!

Mark you're a beast. Thanks for your video!

thanks dear sir for uploading your training videos

Nice video

Great Explanation !

Good explanation and thanks.

What is the benefit to adding the destination address of the public ip on your dmz server for the nat policy vice adding your dmz ip and just going from private to dmz vs private to public to dmz which is what you're doing? Is there any benefit to doing it the way you did verses what I'm saying can be done? Or is what I'm saying not possible on these devices or is one way considered bad practice/best practice; why?

Hi this tutorial is good but at 8:03 you are actually configuring U-TurnNAT Rule in which source should be translated in Rule3 - "Server-1 from Inside". For example in your same channel one video is there with name "How to configure U-TURN NAT". can you explain the same.

Thanks very much

Excellent explanation !!

Great video