NAT Policies

Security Policy Fundamental Concepts

Introduction - Firewall 10.0

Lesson 1: Security Policy Fundamental Concepts - Security NAT Policies





>>Network Address Translation

Class A:  <->

  • Reserved: <-> loopback testing TCP/IP stack test

16.7 Million address wasted on testing stack for IP address 6 use ::1 <-> private address class A

Class B:  <->

  • <->


Class C: <->

  • <-> private address class C


Class D: <->

Class E: <-> (broadcast address)







L2 LLC above is software

L2 MAC below hardware


RFC:1918= defines IPV4 private address----> defines the private address NAT translates these to public addresses.

Flow Logic of the Next Generation Firewall

NAT Types

Source and destination

static NAT one to one e.g web email goes to  using a NAT router at the edge

dynamic NAT, and translates to and first come first served

PAT NAT most used by the edge router to translate layer 3 and layer 4 addresses Port number and IP address is called a socket both are translated if there are both using the same port and using :6400 port numbers are changed

>>Source NAT Configuration

Inside private to outside traffic

Static IP:
• 1 to 1 fixed translations.
Dynamic IP:
• 1 to 1 translations of a source IP address only (no port number).
Dynamic IP and port (DIPP):
• Allows multiple clients to use the same public IP addresses with different source port

Source NAT and Security Policies

Configure Source NAT

Static 1:1 Translation

Dynamic IP Translation 

(used for load balancing)

Dynamic IP and Port Translation

DIPP NAT Oversubscription

>>Destination NAT Configuration

Outside external to inside destination NAT


Destination NAT Attributes

Dynamic IP Address Support for Destination NAT

Destination NAT and Security Policies

Configure Destination NAT

Destination NAT Port Translation Configuration

Configure Bidirectional Source NAT


1. In the Palo Alto Networks Application Command Center (ACC), which filter allows you to limit the display to the details you care about right now and to exclude the unrelated information from the current display?

a. Global

b. Local

c. Universal

d. Group

2. Select the answer that best completes this sentence. Source NAT commonly is used for _________ users to access the ________ internet.

a. public, public

b. public, private

c. private, private

d. private, public

3. Select the answer that completes this sentence. DIPP source NAT will support a maximum of about ______________ concurrent sessions on each IP address configured within the NAT pool.

a. 8100

b. 64,000

c. 250

d. 16,300

4. Which one of the following statements is true about NAT rules?

NAT rules are applied after security policy rules.

NAT rules provide address translation, while security policy rules allow or deny packets.

The destination zone in the security rule is determined before the route lookup of the post-NAT destination IP address.

The addresses used in source NAT rules always refer to the original IP address in the packet (that is, the pre-translated address).

5. What feature on the Next Generation firewall can be used to identify, in real time, the applications taking up the most bandwidth?

a. Quality of Service Statistics

b. Application Command Center (ACC)

c. Applications Report

d. Quality of Service Log

6. What are the three pre-defined tabs in the Next Generation firewall Application Command Center (ACC)?

Select one or more:

a. Threat Activity

b. Application Traffic

c. Network Traffic

d. Blocked Activity

7. When using config audit to compare configuration files on a Next Generation firewall, what does the yellow indication reveal?

a. None

b. Change

c. Addition

d. Deletion

8. In the Palo Alto Networks Firewall WebUI, which type of report can be compiled into a single emailed PDF?

a. Botnet

b. PDF Summary

c. Predefined

d. Group

9. On the Palo Alto Networks Next Generation Firewall, which is the default port for transporting Syslog traffic?

a. 6514

b. 8080

c. 443

d. 514