Palo Alto Networks NAT Troubleshooting

Introduction to NAT on Palo Alto Networks Firewalls

Network Address Translation (NAT) is a fundamental technique used in networking to modify IP address information in packet headers while they are in transit across a traffic routing device. Palo Alto Networks Next-Generation Firewalls (NGFWs) provide robust and flexible NAT capabilities, essential for scenarios like allowing internal users to access the internet (Source NAT), or permitting external users to access internal servers (Destination NAT).

Understanding NAT on a Palo Alto Networks firewall is crucial for network administrators and is a key topic covered in certifications like PCNSE (Palo Alto Networks Certified Network Security Engineer) and PCNSA (Palo Alto Networks Certified Network Security Administrator). Correct NAT configuration ensures proper traffic flow and is often a prerequisite for successful security policy enforcement.

Key NAT Concepts on Palo Alto Networks Firewalls

NAT Rules: Configured policies that define criteria for matching traffic and the translation action to be applied. NAT rules are evaluated from top to bottom, similar to Security Policies.
Source NAT (SNAT): Changes the source IP address of a packet. Commonly used to translate private internal IP addresses to a public IP address for internet access.
Destination NAT (DNAT): Changes the destination IP address of a packet. Commonly used to translate a public IP address to a private internal server IP address.
Bidirectional NAT: A single rule that performs both Source and Destination NAT. Often used for servers that initiate connections both internally and externally, or for U-turn NAT scenarios.
NAT Types: Palo Alto Networks supports various NAT types including Dynamic IP, Dynamic IP and Port (DIPP/PAT), Static IP, and Static IP and Port.

     
      PCNSE/PCNSA Exam Note:
     
     Understand the order of policy evaluation. NAT policies are evaluated *before* Security Policies for the *first packet* of a session. For subsequent packets in the same session, the flow lookup uses the NAT'd addresses and ports, hitting the session table directly.

Packet Flow and NAT

NAT happens early in the packet processing path. For the first packet of a new session:

Packet arrives on ingress interface.
Zone/Interface check.
Route lookup (using the packet's original destination IP).
NAT Rule Lookup (comparing original packet attributes against NAT rules). If a match is found, the NAT translation is determined.
Session is created. The session table stores both original and translated IP/port information.
NAT translation is applied (if required).
Policy lookup (using translated IP/port and potentially original source/destination zone depending on rule type and PAN-OS version).
Security Processing (App-ID, Content-ID, Threat Prevention, etc.).
Packet sent out egress interface.

This order is critical for troubleshooting. If NAT isn't happening as expected, it's often because the NAT rule wasn't matched *before* the session was created or the security policy was evaluated incorrectly due to incorrect NAT.

Simplified Packet Flow highlighting NAT rule lookup.

Checking NAT Hit Counters

Hit counters are invaluable for verifying if your NAT rules are being matched by traffic. A non-zero hit counter indicates that traffic corresponding to the rule's criteria has passed through the firewall and triggered that specific NAT rule. If a NAT rule isn't getting hits when you expect it to, it suggests a misconfiguration in the rule criteria (Source Zone, Destination Zone, Source Address, Destination Address, Service, etc.) or that traffic is being blocked by a security policy or routing issue before it hits the NAT evaluation point.

GUI Method

In the Palo Alto Networks GUI:

Navigate to Policies > NAT .
Locate the specific NAT rule you want to check.
Look at the Hits column for that rule.

You can sort the rules by the 'Hits' column to quickly see which rules are most active or identify rules with zero hits.

To reset NAT rule hit counters (useful after making changes to see fresh counts):

     
      PCNSE/PCNSA Exam Note:
     
     Resetting counters can be done per rule or globally. Be cautious with global resets in production environments as it affects all rules.

Per Rule: In the GUI, right-click the rule and select Reset Hit Counter .
Global: In the GUI, at the top right of the NAT rules list, click Reset All Hit Counters .

CLI Method

The primary command to view NAT rule hit counters in the CLI is:

> show nat rule all

This command displays a list of all configured NAT rules, including their rule index, name, and hit count. Example output snippet:

     rule {
                1 {
                    name allow-internet-snat;
                    hits 15678;
                    ...
                }
                2 {
                    name webserver-dnat;
                    hits 890;
                    ...
                }
                3 {
                    name internal-servers-no-nat;
                    hits 0;
                    ...
                }
            }
    

To reset NAT rule hit counters via CLI:

Per Rule:

> clear nat rule hit-count rule-name <rule-name>

Global:

> clear nat rule hit-count all

Interpreting Hit Counters

If your NAT rule is configured correctly based on the traffic you expect, but the hit counter is zero, consider the following:

Is traffic actually reaching the firewall's ingress interface?
Is the traffic hitting the firewall but being dropped by a Security Policy rule *before* NAT evaluation? (No, this is incorrect based on packet flow). NAT is evaluated *before* the security policy rule *match*. However, if the security policy lookup fails (e.g., due to incorrect zones after NAT), the session won't be permitted.
Is the traffic hitting the firewall but being dropped by an implicitly denied NAT rule? (No, implicit NAT rules don't drop, they just don't NAT).
Is there a routing issue? NAT uses the original destination IP for route lookup *before* applying DNAT. If the firewall can't route to the *original* destination, the packet may be dropped early.
Are the criteria (Source Zone, Destination Zone, Source Address, Destination Address, Service) in the NAT rule an exact match for the traffic? Remember that the rule match uses the *original* packet information for Source/Destination Zone/Address/Service, and the *post-NAT* destination zone/address for policy lookup (primarily the destination zone after DNAT, if applicable).
Are there other NAT rules above this one that are matching the traffic instead? NAT rule evaluation is top-down, first match wins.

     
      Gotcha!
     
     A common mistake is assuming NAT happens after security policy. For the *first packet*, NAT rule lookup is *before* the security policy lookup. The security policy lookup then uses the
     
      post-NAT
     
     destination zone/address/port. If DNAT is used, the security policy must allow traffic to the *translated* destination zone/address/port.

NAT Troubleshooting Commands

Beyond checking hit counters, several CLI commands are essential for troubleshooting NAT issues on Palo Alto Networks firewalls. These commands help you understand how the firewall sees the traffic and how it's evaluating rules.

`show session all`

This is arguably the most important command for understanding active traffic and NAT. It shows details about current sessions, including original and translated IP/port information.

     > show session all filter source <src-ip> destination <dest-ip> destination-port <port> protocol <protocol>
    

Replace placeholders with the actual IP addresses, port, and protocol of the traffic you are troubleshooting. Example output snippet:

     id                      : 12345
            state                   : ACTIVE
            nat-rule                : allow-internet-snat (vsys1)
            ...
            source      zone        : trust
            source      address     : 192.168.1.10
            source      port        : 54321
            source      nat address : 203.0.113.5
            source      nat port    : 1024
            ...
            destination zone        : untrust
            destination address     : 8.8.8.8
            destination port        : 53
            destination nat address : 8.8.8.8
     
      (Original Destination)
     
     destination nat port    : 53
     
      (Original Destination Port)
     
     ...
            protocol                : udp
            application             : dns
            policy                  : allow-internet-access
            ...
    

Look for the `nat-rule` field to see which NAT rule the session matched. Examine the `source nat address`/`port` and `destination nat address`/`port` fields to see if the expected translation occurred.

`test nat-policy-match`

This command allows you to simulate traffic against your NAT rules to see which rule would be matched *before* the actual traffic arrives. This is extremely useful for verifying your NAT rule configuration without sending live traffic.

     > test nat-policy-match from <source-zone> to <destination-zone> source <source-ip> destination <destination-ip> protocol <protocol> destination-port <port>
    

Example:

     > test nat-policy-match from trust to untrust source 192.168.1.10 destination 8.8.8.8 protocol 17 destination-port 53
    

Output will show the first NAT rule that matches the simulated traffic attributes.

     vsys1

            Matching NAT rule: allow-internet-snat (idx 1)

If this command shows 'No matching rule', then your NAT rule criteria are incorrect for the traffic flow you are testing.

`show running nat-policy`

Displays the currently active NAT policy configuration on the firewall, similar to viewing it in the GUI.

> show running nat-policy

This is useful for quickly reviewing all NAT rules and their configurations via CLI.

`show system state filter-xpath "nat"`

Provides detailed NAT-related state information from the system. This is more advanced and might reveal internal NAT tables or counters not exposed in other commands.

> show system state filter-xpath "nat"

Use this command with caution as the output can be extensive and may require Palo Alto Networks support guidance for full interpretation.

U-Turn NAT (Hairpinning)

Troubleshooting U-Turn NAT, where an internal host accesses another internal host using the destination host's public IP address, often involves ensuring both Source and Destination NAT occur. The traffic leaves and returns on the *same* firewall interface/zone (e.g., Untrust). Your NAT rule needs to match this specific flow (Source Zone = Untrust, Destination Zone = Untrust, Source Address = Internal Host's Translated SNAT address, Destination Address = Server's Public DNAT address) and apply DNAT *and* SNAT.

Simplified U-Turn NAT flow. Note traffic enters and exits the firewall on the same zone (Untrust in this example).

     
      PCNSE Exam Note:
     
     U-Turn NAT requires careful configuration. Ensure your NAT rule matches the correct zones (often the same zone for both source and destination side on the firewall) and applies both DNAT and SNAT. The source address in the NAT rule should typically be the translated/public IP of the *source* host (or a SuperNet encompassing it).

Debugging NAT with Packet Flow

When basic troubleshooting commands aren't sufficient, using packet flow debugging is necessary. This allows you to see how the firewall processes a specific packet step-by-step, including NAT evaluation and application.

The primary tool for this is the `debug flow` command.

     
      CRITICAL:
     
     Debug commands can generate significant output and impact firewall performance. Use filters meticulously and only run debugging when necessary and with caution, especially in production environments. Always disable debugging when finished.

Packet Flow Stages Relevant to NAT Debugging

The packet flow debugging output goes through many stages. Key stages for NAT are:

flow_ipv4_decap / flow_ipv6_decap : Packet arrives.
flow_lookup_policy_nat : This is where the NAT rule lookup occurs. You'll see checks against your NAT rules.
flow_setup_session : Session is created. Original and translated addresses/ports are logged here.
flow_apply_nat : The NAT translation is applied to the packet header.
flow_lookup_policy_security : Security policy lookup occurs using the *translated* information.
flow_fwd_final : Packet is forwarded out.

Steps for Debugging NAT

Set Debug Filters: Define filters to target only the specific traffic flow you are interested in. This is crucial!

      > debug flow basic filter on
                > debug flow basic filter match source <src-ip> destination <dest-ip> protocol <protocol-number> destination-port <port>
     

Use IP addresses and the protocol number (e.g., 6 for TCP, 17 for UDP, 1 for ICMP). You can add source-port if needed but destination-port is often sufficient for initial NAT checks.

      
       Gotcha!
      
      Protocol needs to be the number, not the name (e.g., 6 for TCP, not 'tcp'). Use
      
       show protocol
      
      if unsure.

Enable Debugging: Turn on basic flow debugging.

> debug flow basic on

Generate Traffic: Initiate the traffic flow from the source host.
View Debug Output: The output will be sent to the system logs (visible via less mp-log flow.log or `tail mp-log flow.log`) or directly to your console if you are using a session management tool. Look for the stages mentioned above.

> less mp-log flow.log

Disable Debugging: Immediately disable debugging filters and logging when you have captured the necessary traffic.

      > debug flow basic filter off
                > debug flow basic off
                > clear log mp-log flow.log
      
       (Optional, to clear logs)

Interpreting Debug Flow Output for NAT

Look for lines containing `flow_lookup_policy_nat`. This will show which NAT rule is being considered and if a match is made.

     flow_lookup_policy_nat(8540): policy matched rule 'allow-internet-snat' (id 1), type NAT.
    

Then look for `flow_setup_session` to see the determined translation:

     flow_setup_session(8921): ... original: 192.168.1.10[54321]->8.8.8.8[53], ... translated: 203.0.113.5[1024]->8.8.8.8[53], ...
    

If `flow_lookup_policy_nat` indicates 'no matching rule', review your NAT rule configuration and test it using `test nat-policy-match` first.

Sequence Diagram of Packet Flow including NAT on Palo Alto Networks Firewall.

Debug NAT States

While not a direct `debug flow` stage, understanding the states a NAT entry goes through can be helpful. A NAT entry in the session table has a state. It starts when a NAT rule is matched and a session created, is active during the session lifetime, and is eventually removed.

Simplified State Diagram for a NAT Session Entry.

NAT Troubleshooting Quiz

Test your knowledge of NAT on Palo Alto Networks firewalls with these questions, focusing on troubleshooting and PCNSE key points.

1. At which stage of the packet flow is the NAT rule evaluated for the *first packet* of a session on a Palo Alto Networks firewall?

After the Security Policy lookup. Before the Security Policy lookup. Concurrently with the Security Policy lookup. During Application Identification.

Correct Answer: Before the Security Policy lookup. The NAT rule evaluation determines the translated addresses/ports which are then used for the Security Policy lookup on the first packet.

2. Which CLI command is used to view the hit counters for all NAT rules?


         show policy all


         show session all


         test nat-policy-match


         show nat rule all

Correct Answer: show nat rule all. This command specifically displays NAT rules and their associated hit counts.

3. A NAT rule has zero hits in the GUI and CLI. What is the most likely reason, assuming traffic for that rule exists and reaches the firewall?

A Security Policy is blocking the traffic before it hits the NAT rule. There is a routing issue preventing the packet from being processed. A NAT rule higher in the list is matching the traffic first. The criteria in the NAT rule (zones, addresses, service) do not match the traffic flow.

Correct Answer: The criteria in the NAT rule (zones, addresses, service) do not match the traffic flow. If the rule isn't getting hits, the traffic doesn't match the rule's criteria, or a rule above it matched. Security policy evaluation happens *after* NAT rule lookup for the first packet.

4. You suspect traffic is not being NAT'd as expected. Which command is best for verifying if an active session is matching a NAT rule and showing the applied translation?


         show nat rule all


         test nat-policy-match


         show session all


         debug flow basic

Correct Answer: show session all. This command shows details of *active* sessions, including which NAT rule was matched (`nat-rule` field) and the original vs. translated addresses/ports.

5. Which CLI command allows you to simulate a traffic flow to see which NAT rule it would match, without sending actual traffic?


         show session all


         test security-policy-match


         test nat-policy-match


         show nat rule all

Correct Answer: test nat-policy-match. This is the specific command designed for simulating traffic against the NAT rulebase.

6. Which Source NAT type allows multiple internal hosts to share a single public IP address by using different source ports?

Static IP Dynamic IP Static IP and Port Dynamic IP and Port (DIPP / PAT)

Correct Answer: Dynamic IP and Port (DIPP / PAT). This type (Port Address Translation) translates both the source IP and source port, allowing many internal hosts to use a limited pool of public IP addresses.

7. Which type of NAT is typically used to allow external users to access a web server located in an internal network zone?

Source NAT Destination NAT Bidirectional NAT U-Turn NAT

Correct Answer: Destination NAT. DNAT changes the destination IP address of the incoming packet from a public IP to the private IP of the internal server.

8. What is a common use case for configuring a Bidirectional NAT rule?

Simple internet access for internal users. Translating multiple public IPs to multiple internal server IPs. To log NAT traffic without translation. Handling U-Turn (hairpin) NAT scenarios for internally hosted services.

Correct Answer: Handling U-Turn (hairpin) NAT scenarios for internally hosted services. While Bidirectional NAT can be used in other scenarios, it is particularly common and often required for U-Turn NAT to handle translation in both directions for sessions originating and terminating on the same firewall zone/interface (often the external one).

9. What is the most important step immediately after finishing a `debug flow basic` troubleshooting session?

Clear the flow logs. Commit the firewall configuration. Save the running configuration. Disable the debug filters and debugging itself.

Correct Answer: Disable the debug filters and debugging itself. Leaving debugging enabled, especially without tight filters, can severely impact firewall performance and fill up logs quickly in a production environment.

10. The `debug flow basic` command is useful for NAT troubleshooting because it allows you to see:

Detailed firewall configuration settings. Only Application Identification results. System resource utilization like CPU and memory. The step-by-step processing of a specific packet through the firewall, including NAT stages.

Correct Answer: The step-by-step processing of a specific packet through the firewall, including NAT stages. Debug flow provides a detailed look into the packet processing path, showing when NAT rules are evaluated and applied.

11. When using `test nat-policy-match` for a DNAT rule targeting an internal server, the 'destination' parameter in the command should be the:

Server's private IP address. Server's translated port. Public/Translated IP address used for external access. The firewall's interface IP address.

Correct Answer: Public/Translated IP address used for external access. You are simulating the *incoming* packet from an external source, which would be destined for the public/translated IP.

12. How does the Palo Alto Networks firewall evaluate NAT rules?

Randomly. Based on longest prefix match for destination address. Top-down, first rule match wins. After Application Identification, based on app ID.

Correct Answer: Top-down, first rule match wins. Like Security Policies, NAT rules are evaluated sequentially from the top of the list.

13. For a session where NAT is applied, which set of IP addresses and ports does the firewall typically use to match against Security Policy rules (for the first packet)?

Original Source and Destination IP/Port. Translated Source IP/Port and Original Destination IP/Port. Original Source IP/Port and Translated Destination IP/Port. Translated Source and Translated Destination IP/Port.

Correct Answer: Translated Source and Translated Destination IP/Port. The Security Policy lookup for the first packet uses the post-NAT (translated) addresses and ports.

14. You are troubleshooting a specific user's traffic (192.168.5.10) trying to reach a server (172.16.1.20) on a non-standard port (8080) using TCP. Which `show session all` filter combination is most effective?


         filter source-port 8080


         filter destination-port 8080


         filter source 192.168.5.10 destination 172.16.1.20 protocol tcp


         filter source 192.168.5.10 destination 172.16.1.20 protocol 6 destination-port 8080

Correct Answer: filter source 192.168.5.10 destination 172.16.1.20 protocol 6 destination-port 8080. This is the most specific filter, including source IP, destination IP, protocol number (6 for TCP), and destination port, targeting the exact traffic flow.

15. To reset the hit counters for *all* NAT rules via the CLI, which command is used?


         reset all counters


         clear nat rule hit-count rule-name all


         clear all hits nat


         clear nat rule hit-count all

Correct Answer: clear nat rule hit-count all. This is the correct command syntax for a global NAT hit counter reset.

16. When a packet arrives at the firewall, is routing determined using the original destination IP or the translated destination IP (if DNAT applies) for the first packet?

The translated destination IP. The original destination IP. The source IP. A randomly chosen IP from the NAT pool.

Correct Answer: The original destination IP. Routing happens *before* the NAT translation is applied to the packet header for the first packet.

17. Where is the most authoritative source for detailed documentation on Palo Alto Networks firewall NAT configuration and troubleshooting?

Community forums. Third-party blogs and websites. The official Palo Alto Networks documentation on docs.paloaltonetworks.com. Generic network vendor wikis.

Correct Answer: The official Palo Alto Networks documentation on docs.paloaltonetworks.com. Always refer to the vendor's official documentation for the most accurate and up-to-date information.

18. Why is the order of NAT evaluation (before Security Policy for the first packet) important for troubleshooting?

It only changes the source port, which affects security policy matching. Security policy rules always match against the original IP addresses. It means Security Policy rules must be written to match the *translated* addresses/ports, not the original ones. The order has no impact on policy matching.

Correct Answer: It means Security Policy rules must be written to match the translated addresses/ports, not the original ones. When NAT changes an IP or port, the Security Policy lookup uses these new values. If your security policy uses the original values when it should use translated ones (e.g., DNAT to a server), traffic will be denied.

19. For a U-Turn NAT rule on a Palo Alto Networks firewall, what are the typical Source Zone and Destination Zone settings in the NAT rule?

Source Zone = Internal, Destination Zone = External Source Zone = External, Destination Zone = Internal Source Zone = External (or same as Dest Zone), Destination Zone = External (or same as Src Zone) Source Zone = Any, Destination Zone = Any

Correct Answer: Source Zone = External (or same as Dest Zone), Destination Zone = External (or same as Src Zone). U-Turn traffic hits the firewall on the external interface (e.g., Untrust) and is DNAT'd, but then exits back out the *same* external interface to reach the internal host. Both the ingress and egress interfaces for this traffic are in the same zone from the firewall's perspective.

20. When setting a `debug flow basic filter match` command, how should you specify the protocol for TCP traffic?

Using the name 'tcp'. Using 'any'. Using the port number (e.g., 80). Using the protocol number (e.g., 6).

Correct Answer: Using the protocol number (e.g., 6). The `debug flow basic filter match` command requires the protocol number (e.g., 6 for TCP, 17 for UDP, 1 for ICMP).