Policy Format

• Destination Zone = Post Translation Zone
• Destination IP = Pre Translation IP

• Destination Zone = Pre Translation Zone
• Destination IP = Pre Translation IP

• Destination Zone = No Destination Zone
• Destination IP = Post Translation Address

• Destination Zone = Post Translation Zone
• Destination IP = Pre Translation IP

• Destination Zone = Post Translation Zone
• Destination IP = Pre Translation IP

When you have a destination NAT that translates the destination port (e.g. TCP-2222 to TCP-22), the security policy rules should use the pre translation port (e.g. TCP-2222). The Logs will show the traffic going to the pre translated port (e.g. SSH to TCP-2222).

• Source Zone = SZ_ClientlessVPN
• Destination Zone = Actual Destination Zone
• Source IP = Actual source endpoint IP (public IP if they are on the Internet or connecting from behind a remote NAT).
• Destination IP = Actual Destination IP
• Destination Port = Actual Destination Port (not GlobalProtect 443)
• Application = Actual Application. (e.g. Web Browsing not SSL if forwarding to port 80).