>
    Strata Copilot
    Strata Cloud Manager
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. NAT
    4. Configure NAT
    5. Configure Destination NAT with DNS Rewrite
    6. Strata Cloud Manager
    Download PDF
    Next-Generation Firewall

    Strata Cloud Manager

    Table of Contents

    Strata Cloud Manager

    Learn how to configure destination NAT with DNS rewrite on Strata Cloud Manager.
    1. Log in to Strata Cloud Manager.
    2. Select ConfigurationNGFW and Prisma AccessNetwork PoliciesNATAdd Rule.
    3. Enter a descriptive Name for your NAT policy rule.
    4. Optional Enter a Description.
    5. Select Pre-Rule or Post-Rule from the Position drop-down.
    6. For NAT Type, select Ipv4 Nat.
    7. On the Destination window under Original Packet, Add a Zone and an Interface, if any.
    8. Add Addresses, Add Address Groups,, and Add External Dynamic Lists.
      You will also have to select a Source Zone or Any source zone, but DNS rewrite occurs at the global level; only the Destination Address under Original Packet is matched. DNS rewrite ignores all other fields on configured under Original Packet, unless you are configuring DNS rewrite with conditions.
    10. On the Translated Packet tab, for Destination Address Translation, select Translation Type to be Static IP.
    11. Select a Translated Address or enter a new address.
    12. Enable DNS Rewrite and select a Direction:
      • Select reverse (default) when the IP address in the DNS response requires the opposite translation that the NAT rule specifies. If the DNS response matches the Translated Destination Address in the rule, translate the DNS response using the reverse translation that the rule uses. For example, if the rule translates IP address 1.1.1.10 to 192.168.1.10, the firewall rewrites a DNS response of 192.168.1.10 to 1.1.1.10.
      • Select forward when the IP address in the DNS response requires the same translation that the NAT rule specifies. If the DNS response matches the Original Destination Address in the rule, translate the DNS response using the same translation the rule uses. For example, if the rule translates IP address 1.1.1.10 to 192.168.1.10, the firewall rewrites a DNS response of 1.1.1.10 to 192.168.1.10.
    13. (PAN-OS 12.1.2 and later 12.1 releases) (Optional) Make the DNS rewrite action for this rule conditional by enabling Match NAT Rule Source. Translate the IPv4 address in a DNS response only if the DNS client's IP address and security zone (identified in the DNS session) match the source IP address and source zone that you specified for the Original Packet in this rule. Thus, you limit the DNS rewrite in this rule to occur only for specific DNS clients.
      • The firewall increments the ctd_dns_rewrite_nat_source_match counter when a source IP address or source zone in a DNS response matches a source IP address or source zone configured in the Original Packet.
      • The firewall increments the ctd_dns_rewrite_nat_source_mismatch counter when a source IP address or source zone in a DNS response doesn't match a source IP address or source zone configured in the Original Packet.
      • Exclude From Zone is configured and the DNS session's source zone is excluded.
      • Exclude Source Address is configured and the DNS session's source address is excluded.
    14. You can exclude zones or address to prevent the DNS rewrite mapping rule from matching those zones or addresses.
      1. Add Zones to exclude.
      2. Add Addresses and Add Address Groups to exclude.
    15. Click Save.

    © 2026 Palo Alto Networks, Inc. All rights reserved.