NAT Addresses Using ARP from Wrong Interface
Resolution
Issue
The Palo Alto firewall is configured with two interfaces (Untrust and Web-untrust) connected to the same VLAN on a DMZ switch (running VRRP) and bi-directional static NAT's are configured from Trust to Untrust zones. Whenever the firewall is rebooted, the Palo Alto Networks ARPs for some of the NAT addresses using the Web-Untrust MAC address, despite NAT rules that specify Trust to Untrust. Removing the bi-directional flag and manually creating the inbound portion of the NAT rule from Trust to Untrust resolves the problem.
Resolution
Bi-directional NAT rules were created to simplify the configuration of NAT rules for servers that must be able to initiate outbound sessions (where the source address is translated and also respond to inbound sessions (where the destination address is translated on incoming packets). For inbound sessions, bi-directional NAT rules must be able to match connections coming in from internal OR external zones. This requirement stems from the fact that many companies utilize a single DNS entry for services provided to internal users and external users. Because of this requirement, the bi-directional NAT rule will create a static source NAT rule that exactly contains the match criteria specified in the NAT rule (for outbound sessions). It will also create a NAT rule (one that is not shown in the config) to handle destination NAT (for inbound sessions). This rule uses a source zone of 'ANY' so that traffic from internal users (internal zone) and traffic from external users (external zone) will match the NAT rule and may therefore utilize the services offered by that server.
In this particular case, the Palo Alto device is using ARP on the Web-Untrust interface because that interface can be used to access the server being serviced by the bi-directional NAT rule. This is true because the Untrust and Web-Untrust interfaces are on the same subnet. The destination NAT rule automatically created has a source zone of 'ANY' for the reasons described above. If the configuration were changed to be using two separate NAT rules (one for source NAT for outbound sessions and another for destination NAT for inbound sessions) this problem can be avoided. If the destination NAT rule has a source zone that excludes Web-Untrust, the firewall will no longer ARP for the NAT'ed address on the Web-Untrust interface.
owner: jnguyen