Table of Contents

Default Source NAT

Learn more about the
Prisma SD-WAN
’s default source NAT.
By default,
Prisma SD-WAN
provides an out-of-the-box configuration that automatically performs Source NAT on traffic destined directly to public internet interfaces.
A new flow source is from Host PC1 with a source address of and a destination address of
A packet arrives at the ION device’s LAN Interface. A policy lookup and a path selection decision perform to put the traffic on the link to ISP A.
Place the packet onto the internet segment; the Default-NATPolicySet matches against the Default-InternetRule.
This rule contains the following configuration:
  • Destination Zone Rule: NAT Zone Internet
  • Match Criteria: any protocol, any prefix, any port
  • Action: Source NAT
In this rule:
  • The NAT Pool is blank by default, and the system uses the IP Address bound to the internet interface.
  • The ION device will ARP for IP addresses where the NAT Pool intersects with the configured interface subnet on the ION device.
Apply the packet's policy; the source address of overwrites by the address bound to the Internet Interface ( The source port changes to a random port during this operation.
In this example the original packet: (s) (d) Is rewritten to: (s) (d)
Traffic arrives at the internet-based SaaS application.
Traffic returns to the destination of
Traffic arrives at the ION device's internet interface, where a translation table check is performed on the flow to ensure that there is an active connection.
Establish the traffic onto the LAN segment; the destination IP address returns from to

Recommended For You