Palo Alto Networks – PCNSE Certification Part 6: Basic Configuration (Destination NAT and Security Policy)

The last post was very long and a bit crazy all over the place, but here we are continuing with it. To illustrate how to crate a destination NAT, we will be opening FTP to one of our DMZ server, so lets get started

Create Object

Under Objects -> Services we will create our new FTP Object

UntitledImage

Destination NAT Policy

We are pretty much following the same flow we initially followed when we were playing with the Source NAT Policies, with few minor changes that will make sense

General TAB

* Name
* Tags
* Group Rules by Tag
* Audit Comment

UntitledImage

Original Packet

* Source Zone
* Destination Zone
* Destination Interface
* Service
* Destination Address
UntitledImage

Translated Packet

* Translation Type
* Translated address
* Translated Port

UntitledImage

UntitledImage

*** It’s different the way NAT is done in PANOS, but I guess it takes time to accommodate and understand how it works, the destination address translation is what really triggers the actual NAT, in this case notice that we don’t change anything from our Source Address Translation.

** I want to add a disclaimer, in all honesty – I noticed that the LAB specifies 192.168.1.1 as the destination and I was a bit worried, because the flow of the NAT policy did not make sense to me, so we are translating basically the GatewayIP to the DMZ Server IP on Port 20-21

** Sometimes it takes doing to understand the concepts.

Security Policy

* General Tab
UntitledImage

* Source Tab
UntitledImage

* Destination Tab
UntitledImage

* Service/URL Category
UntitledImage

We are going to spice it up and we are going to add a Schedule to this port to be open

Adding a Schedule to a Security Policy

By default all security rules are always in effect, but this setting under the Actions Tab allows us to create a Schedule – Under Actions, select Schedule and Create a new Schedule
UntitledImage

UntitledImage

About the Author:

Andres Sarmiento, CCIE # 53520 (Collaboration)
With more than 15 years of experience, Andres is specialized in Unified Communications and Collaboration technologies. Consulted for several companies in South Florida, also Financial Institutions on behalf of Cisco Systems. Andres has been involved in high-profile implementations including Cisco technologies; such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security and Hosted IPT Service provider infrastructures.

You can follow Andres using Twitter, LinkedIn or Facebook

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.