Palo Alto Networks Knowledgebase: DotW: Unexpected Proxy ARP from NAT Policy

DotW: Unexpected Proxy ARP from NAT Policy

Created On 09/25/18 19:02 PM - Last Updated 09/25/18 23:09 PM



In this week's Discussion of the Week, we will be taking a closer look at a remark posted by user msullivan regarding proxy ARP and its expected behavior.




Depending on the way NAT is configured on the Palo Alto Networks firewall, proxy ARP may act differently:


When a generic 'hide' NAT (many to one) policy is configured, the most straightforward option is to set the translation action to dynamic-ip-and-port and select the external interface.


Even though the interface may have been configured with a subnet mask, the NAT rule will limit all outbound NAT to be translated behind the firewall's interface IP as a /32 subnet. The advantage is that this type of rule is easy to configure and the MAC address should already be known by the upstream router by simple broadcast, as the interface will respond to ARP requests for its configured IP address.

2016-06-13_13-34-57.jpgThis policy will simply translate all sessions from trust to untrust behind and assign a random source port.


Things change if the interface is not selected as a 'translation template', but a free subnet is entered by the administrator. 



  • Print
  • Copy Link

Change Language: