Focus

Configure Destination NAT with DNS Rewrite

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
AIOps
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)

Configure Destination NAT Using Dynamic IP Addresses

Configure Destination NAT with DNS Rewrite

Create a destination NAT policy rule for static translation that also rewrites the IPv4 address in a DNS response.

When you configure a destination NAT policy rule that performs static translation of IPv4 addresses, you can also enable DNS Rewrite so that the firewall rewrites the IPv4 address in a DNS response based on the original destination IP address and translated destination IP address configured for the rule. The firewall performs NAT on the IPv4 address (the FQDN resolution) in a DNS response (that matches the rule) before forwarding the response to the client; thus, the client receives the appropriate address to reach the destination service.

View the DNS rewrite use cases to understand DNS Rewrite and to help you determine whether to specify that the rewrite occur in the reverse or forward direction.

You cannot enable Bi-directional source address translation in the same NAT rule where you enable DNS rewrite.

Create a destination NAT policy rule that specifies the firewall perform static translation of IPv4 addresses that match the rule, and also specifies the firewall rewrite IP addresses in DNS responses when that IPv4 address (from the A Record) matches the original destination address in the NAT rule.
1. Select PoliciesNAT and Add a NAT policy rule.
2. (Optional) On the General tab, enter a descriptive Name for the rule.
3. For NAT Type, select ipv4.
4. On the Original Packet tab, Add a Destination Address.
  
  You will also have to select a Source Zone or Any source zone, but DNS rewrite occurs at the global level; only the Destination Address on the Original Packet tab is matched. DNS Rewrite ignores all other fields on the Original Packet tab.
5. On the Translated Packet tab, for Destination Address Translation, select Translation Type to be Static IP.
6. Select a Translated Address or enter a new address.
7. Enable DNS Rewrite and select a Direction:
  - Select reverse (default) when the IP address in the DNS response requires the opposite translation that the NAT rule specifies. If the DNS response matches the Translated Destination Address in the rule, translate the DNS response using the reverse translation that the rule uses. For example, if the rule translates IP address 1.1.1.10 to 192.168.1.10, the firewall rewrites a DNS response of 192.168.1.10 to 1.1.1.10.
  - Select forward when the IP address in the DNS response requires the same translation that the NAT rule specifies. If the DNS response matches the Original Destination Address in the rule, translate the DNS response using the same translation the rule uses. For example, if the rule translates IP address 1.1.1.10 to 192.168.1.10, the firewall rewrites a DNS response of 1.1.1.10 to 192.168.1.10.
8. Click OK.
Commit your changes.

Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)

Configure Destination NAT Using Dynamic IP Addresses

Next-Generation Firewall Docs

Configure Destination NAT with DNS Rewrite

Next-Generation Firewall Docs

Configure Destination NAT with DNS Rewrite

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner