Tutorial: Understanding the NAT/Security Policy Configuration
Рет қаралды 109,690
Күн бұрын
@BobBagheri 6 жыл бұрын
I just spent a week in Texas for the PAN CSL training and had the pleasure of having Mark teach the first two days. Mark was fantastic and I learned a lot. This is a great video. It will really help you understand how NAT works in the Palo world.
@Kaal_Bhairava1 11 ай бұрын
Hats off for such a beautiful and simple explanation Mark
@siddeeq3712 5 жыл бұрын
I'm going to add my two cents and say that this video is very helpful in understanding NAT/Security policy configurations. Searching KZbin for instructional videos on PA can be frustrating due to quality of videos and language/accent. So I enjoyed the clarity of the speaker and his overall knowledge of the subject. Thank you Mark!
@RahulKumar-hs5os 5 жыл бұрын
was searching for video to understand D-NAT, Finally landed and found this video, Great detailed tutorial.. Thank you so much for such a awesome job. 10/10 ratings.
@Mistanders0n 7 жыл бұрын
The best explanation of this that I’ve ever seen. Thank you
@farhanbutt433 5 жыл бұрын
This is by far the best explanation of the most dreaded concept i.e. NAT
@nikkycooly261 6 жыл бұрын
Super helpful. Prior to watching the video I was seriously confused
@PaloAltoNetworksLiveCommunity 6 жыл бұрын
We do our best! Please do let us know if there's any other topics that could be helpful in clearing any confusion.
@Black_Swan68761 4 жыл бұрын
Thank you, Mark. Now I have a clear picture of how the NAT and security policy works.
@mail2gowthamkumar 7 жыл бұрын
Well Explained Mark Bowling. The checklist way of configuration one step after the other. Perfect one. Thank you.
@PaloAltoNetworksLiveCommunity 7 жыл бұрын
Thanks for your comment! We're glad you found the video helpful!
@samual8299 4 жыл бұрын
Great video, cleared up all of my confusion. I only wish the official training was like this, instead of (mostly) a robotic voice sloooowly reading from slides. Thanks!
@ervinskendaj8087 7 жыл бұрын
really what i was looking for. i was a bit confused on how things works in PA devices. thanks a lot man :)
@ervinskendaj8087 7 жыл бұрын
hi
@omarquintanilla696 5 жыл бұрын
Damn!! This video was on point especially the section before describing the lazy function of the bi-directional check box. I loved the explanation of explaining the subtleties of a NAT policy versus a Security Policy. I was actually doing this subliminally with regards to routing internal to the public/global address of my DMZ firewalls, but this video helped a YUGE TONNE, LIKE YOU COULDN'T IMAGINE!!! Thank you Firewall Master Mark!!! #PaloAltoNetworks
@Grips44 6 жыл бұрын
Perfect u-turn explanation, and more. great video!
@jamessullo2599 6 жыл бұрын
Very easy to understand the way it's explained here Thanks much
@junekousa1 6 жыл бұрын
Splendid!!! best ever lecture.
@Navachakshu 7 жыл бұрын
Awesome video...very very helpful.just to add a point if default intrazone policy has a clean up rule on top of it(few customers do insist for this)then we also have to create a rule for untrust to untrust in order to allow this.
@miilanshihora4064 4 жыл бұрын
awesome video clear my all doubts.
@Xevious5 6 жыл бұрын
Mark you're a beast. Thanks for your video!
@pvcamargoagility 5 ай бұрын
Uncomplicated with mastery!😎
@456steel 6 жыл бұрын
Great video... He give a very clear understanding.
@RickHollmer 5 жыл бұрын
Great video, Mark. Thanks!!
@gnan86 Жыл бұрын
Great Explanation !
@PaloAltoNetworksLiveCommunity 7 жыл бұрын
We're happy this video has helped so many. Thank you for the kudos! Also check out the Live Community at live.paloaltonetworks.com for more info -- feel free to post your questions there, too!
@kiryukazama_ 4 жыл бұрын
in 11:16 result. it should be unchecked bi-dir translation in rule 1 if i put rule 2 bi-dir?
@winsyrstrife 7 жыл бұрын
Thanks much, Mark, for this simple direct explanation. I understand how the Palo Alto works, but I could never explain it in any way that made sense to someone else. One question: how are you able to get traffic from the internal zone to bypass NAT rule #1, which watches for any destination traffic, and process on NAT rule #3 ("Server 1 from Inside" - Internal > Internet > translated DMZ zone)?
@nasratshah6191 7 жыл бұрын
thanks dear sir for uploading your training videos
@9527903681 5 жыл бұрын
Good explanation and thanks.
@MrSrinupalasa 5 жыл бұрын
Wow really superb
@cankitchourasia 7 жыл бұрын
Excellent explanation !!
@salvatorer7758 4 жыл бұрын
At 5:06, why wouldn't the destination zone be DMZ?
@leetanizer 6 жыл бұрын
Hello, In minute 9:07 ; with this nat policy if a client from 10.1.1.0/24 tries to access the 66.1.1.2 server then the destination NAT in line 2 will not be applied, right ? the access will then fail , am I wrong ?
@PaloAltoNetworksLiveCommunity 6 жыл бұрын
Hi Karim, thanks for your comment. You are correct, for that scenario, the second NAT rule needs to be above the first one as else the packet will be source translated only (only one NAT policy can be applied at a time)
@KavanMavati 4 жыл бұрын
Thank you for the video very useful. One question though. Do you need to create NAT rules when you apply the Policy rule between inside subnet (trusted Zones)? Or this not necessary. In my understanding, No NAT need. Since all, I need to allow/Deny traffic from one zone to another just want to double-check.
@PaloAltoNetworksLiveCommunity 4 жыл бұрын
Hi, if your inside subnets are routable to each other then NAT is likely not needed.
@KavanMavati 4 жыл бұрын
@@PaloAltoNetworksLiveCommunity Thanks
@gabrielcruzv5716 2 жыл бұрын
New commer to PA technology and holy, NAT is one of the most mindfuck feature, but this video helps a lot to understand it!
@PaloAltoNetworksLiveCommunity 2 жыл бұрын
We're happy this video has helped you. Make sure to subscribe to the channel for new and updated videos. Also check out the Live Community at live.paloaltonetworks.com for more info -- feel free to post your questions there, too!
@franzw70 7 жыл бұрын
Thx Sir, plain as Glass now this topic is :)
@amarjeetkumar8735 2 жыл бұрын
Awesome...
@srinivasann2493 6 жыл бұрын
Hi Mark, Thanks for the great stuff. My query is for the Rule-3, when we wanna try to access the server using it's Public IP. This is called as U-turn NAT and we may have to do Source NAT to the interface to the destination to avoid Asymmetric routing. Please assist.
@PaloAltoNetworksLiveCommunity 6 жыл бұрын
Hi Srinivasan, please check out the U-turn video : kzbin.info/www/bejne/eJXFn2Sml8pqatE
@anthonyfaucichan3490 4 жыл бұрын
4:30 Nat outside to inside
@balachandarsivasamy7958 5 жыл бұрын
Great video
@ViralVideos-vi3tp 3 жыл бұрын
Nice video
@PaloAltoNetworksLiveCommunity 3 жыл бұрын
Thanks for the positive feedback!
@gopalsrinivasa6267 3 жыл бұрын
Hi this tutorial is good but at 8:03 you are actually configuring U-TurnNAT Rule in which source should be translated in Rule3 - "Server-1 from Inside". For example in your same channel one video is there with name "How to configure U-TURN NAT". can you explain the same.
@PANgurus 3 жыл бұрын
True U-turn only applies if the client and server exist in the same subnet/zone For 'soft' U-turn where both client and server are internal but in different zones, a NAT rule only needs to perform destination NAT for the client source to the untrust zone without source NAT
@gopalsrinivasa6267 3 жыл бұрын
@@PANgurus Thanks for your reply
@alhaseen1 7 жыл бұрын
Thanks very much
@marrr7611 4 жыл бұрын
I am running ios 9.1.4 and not able to get the static nat from outside to inside to reach an internal server to work when using the example here. The only way I got it to work was to use on the nat statement ; source zone:outside --- destination zone:inside
@ashokreddyb7867 4 жыл бұрын
I've a doubt... How is it possible to create "ONE to ONE NAT" twice using the same PUBLIC IP to forward all 0 to 65535 ports??. You have configured two bidirectional NAT using the same public IP. To my mind it's possible only if we use "specific port forwarding". Correct me if I'm wrong.
@mattcromer511 7 жыл бұрын
What is the benefit to adding the destination address of the public ip on your dmz server for the nat policy vice adding your dmz ip and just going from private to dmz vs private to public to dmz which is what you're doing? Is there any benefit to doing it the way you did verses what I'm saying can be done? Or is what I'm saying not possible on these devices or is one way considered bad practice/best practice; why?
@PaloAltoNetworksLiveCommunity 7 жыл бұрын
Hi Matt! You may want to review the first few minutes of the video: the destination IP of the server in the DMZ is a public IP, this means the routing table will place it in the 'outside' zone pre-NAT. So your NAT policy will reflect inside to outside for the NAT action, but your final destination is the DMZ so your security policy will reflect inside to DMZ. If you can control the IP the inside client connects to by using two different DNS records for the server's hostname for example, you would not need NAT for connections from inside to DMZ as the inside clients would be able to resolve the private IP
@mabooali 4 жыл бұрын
good explanation but he is going too fast. best split in two videos in my opinion because even plane NAT is confusing.
@PaloAltoNetworksLiveCommunity 4 жыл бұрын
Thank you, we appreciate your feedback!
@prasee5101 3 жыл бұрын
Yes , i watched in .75x speed to understand
@evanhairston5872 4 жыл бұрын
Amazing explanation!!
@petroskourris 4 жыл бұрын
Excellent explanation !!
@PaloAltoNetworksLiveCommunity 4 жыл бұрын
Glad you liked it! Be sure to check out the LIVEcommunity for more great information: live.paloaltonetworks.com
Bikash's Tech
Рет қаралды 24 М.
Palo Alto Networks LIVEcommunity
Рет қаралды 45 М.
IT k Funde
Рет қаралды 5 МЛН
Consigas - Palo Alto Networks Training Channel
Рет қаралды 32 М.
Network Sec
Рет қаралды 6 М.