Loading Now
防火牆 , , , ,

Palo Alto 防火牆 NAT (Network Address Translation) 設定

目錄

架設環境

先確認你的PC跟你要做NAT的VM有相同網卡可以通。

架構

NAT_Architecture Palo Alto 防火牆 NAT (Network Address Translation) 設定

NAT Zone 設定

到Network→Zones,先把整個NAT過程需要的zones新增起來。

PANATZone Palo Alto 防火牆 NAT (Network Address Translation) 設定

我採用的架構就只需要內外腳的trust、untrust這兩個zone。

PANATZoneSetting Palo Alto 防火牆 NAT (Network Address Translation) 設定

trust是跟內部溝通的內腳,untrust是需要連到外網的外腳。

NAT Interface Inner & Outer

到Network→Interfaces設定NAT的內腳與外腳,下面有Add選項

PANATInterface Palo Alto 防火牆 NAT (Network Address Translation) 設定

Virtual Routers Setup

到Network→Virtual Routers新增一個新的Router

VirtualRoute Palo Alto 防火牆 NAT (Network Address Translation) 設定

在Router Settings選擇內外腳的Interface

PANATRouterInterface Palo Alto 防火牆 NAT (Network Address Translation) 設定

到Static Routes新增下一跳,Add一個新的路徑

PANATVirtualRoute Palo Alto 防火牆 NAT (Network Address Translation) 設定

default使用0.0.0.0/0代表轉any,然後下一跳轉default-gateway

PAStaticRoutes Palo Alto 防火牆 NAT (Network Address Translation) 設定
PANATNextHop Palo Alto 防火牆 NAT (Network Address Translation) 設定

NAT Policy

接著到Policy選NAT

PANATPolicy Palo Alto 防火牆 NAT (Network Address Translation) 設定

Add新增新的NAT Policy,General輸入名稱,Source是我內腳,連我的trust到外部的untrust

PANATPolicySetting Palo Alto 防火牆 NAT (Network Address Translation) 設定

Translate Packet連我外腳,使用Dynamic IP and Port轉出去

PANATPolicyDynamic Palo Alto 防火牆 NAT (Network Address Translation) 設定

測試結果

若要測試是否有轉譯成功,可以嘗試連接網頁,先把Policy的Any打開,讓http/https通過,接著網卡那邊也要設定DNS Server的位置,不然找不到網頁位置,連接網頁過防火牆,可以在Log裡面看到有Source IP以及NAT Dest IP,就代表轉譯成功

PANATLogs Palo Alto 防火牆 NAT (Network Address Translation) 設定

Share this content:

Tag
Scientia

I'm Scientia, currently a graduate student. My research interests include Cryptology, Cryptographic Engineering, Security and Privacy, Computational Complexity, Quantum Cryptography, Hardware Security, Cybersecurity and Anomaly Detection.

view all posts

Related Posts

Post Comment

You May Have Missed