paloaltonetworks:configuration:policy_format
This is an old revision of the document!
Table of Contents
Policy Format
Security Policy
- Destination Zone = Post Translation Zone
- Destination IP = Pre Translation IP
Destination NAT Policy
- Destination Zone = Pre Translation Zone
- Destination IP = Pre Translation IP
PBF Policy
- Destination Zone = No Destination Zone
- Destination IP = Post Translation Address
Decryption Policy
- Destination Zone = Post Translation Zone
- Destination IP = Pre Translation IP
Port Translation
When you have a destination NAT that translates the destination port (e.g. TCP-2222 to TCP-22), the security policy rules should use the pre translation port (e.g. TCP-2222). The Logs will show the traffic going to the pre translated port (e.g. SSH to TCP-2222).
Clientless VPN
- Source Zone = SZ_ClientlessVPN
- Destination Zone = Actual Destination Zone
- Source IP = Actual source endpoint IP (public IP if they are on the Internet or connecting from behind a remote NAT).
- Destination IP = Actual Destination IP
- Destination Port = Actual Destination Port (not GlobalProtect 443)
- Application = Actual Application. (e.g. Web Browsing not SSL if forwarding to port 80).
paloaltonetworks/configuration/policy_format.1598855443.txt.gz · Last modified: (external edit)