Newbie here! In the Translated Packet tab for NAT, can you use source Address Translation facing a specific public IP and Destination Address Translation private IP pointing to a server? Migrating from SonicWall to PA FW and the NAT rules in SonicWall is so different to read and input in the PA. Thanks!
Traditional 'hide' NAT doesn't require bi-directional and possibly a server that only needs to receive connections could be configured without bi-directional (untrust to untrust rather than outbound-bidirectional). An SMTP server needs to connect out on the same IP address to satisfy SPF records etc, but a webserver may not need this to fetch updates. The creation of bi-directional policies requires resources: you're creating an implied second rule in your rulebase, which are not always a requirement
Good explanation was provided in article at Palo Alto Live Community search for "What does the Bi-directional NAT feature provide". It is mentioned at the bottom - The destination NAT rule created by the bi-direction is created with Source Zone and Source address as ANY. Which could break some other traffic. Creating the destination NAT provides more control. IMHO the bi-directional is useful if you are doing static NAT for some public server. But if you want to create NAT for traffic for VPN tunnel (due to network overlapping) it is better to disable the bi-directional and create the source and destination NAT manually - where you have full control over the original source and destination zones and addresses.
I can't tell you have fantastic it is to have these videos!
Great that you're enjoying them Matt! :) Do let us know if you want something specific: bit.ly/2sYzdMt
Good tutorial bud. Found the answer that I was looking for within two minuets of the video.
Awesome, thank you!
Great Explanation 100 thumps to you Mr Sir !
Newbie here! In the Translated Packet tab for NAT, can you use source Address Translation facing a specific public IP and Destination Address Translation private IP pointing to a server? Migrating from SonicWall to PA FW and the NAT rules in SonicWall is so different to read and input in the PA. Thanks!
this is great? I think I need a review...
Can someone explain the use of destination NAT where you don't tick the bidirectional box?
When would this be useful and what are the implications?
Traditional 'hide' NAT doesn't require bi-directional and possibly a server that only needs to receive connections could be configured without bi-directional (untrust to untrust rather than outbound-bidirectional). An SMTP server needs to connect out on the same IP address to satisfy SPF records etc, but a webserver may not need this to fetch updates. The creation of bi-directional policies requires resources: you're creating an implied second rule in your rulebase, which are not always a requirement
Good explanation was provided in article at Palo Alto Live Community search for "What does the Bi-directional NAT feature provide". It is mentioned at the bottom - The destination NAT rule created by the bi-direction is created with Source Zone and Source address as ANY. Which could break some other traffic. Creating the destination NAT provides more control. IMHO the bi-directional is useful if you are doing static NAT for some public server. But if you want to create NAT for traffic for VPN tunnel (due to network overlapping) it is better to disable the bi-directional and create the source and destination NAT manually - where you have full control over the original source and destination zones and addresses.
Thank you, very useful.