Palo Alto Networks Firewalls & gaming consoles (xbox, Playstation,..) - Strict NAT
Resolution
Symptoms
XBox or Playstation games & applications are not able to connect to Xbox Live/PlayStationNetwork due to strict NAT being detected
Issue
When connecting to the Xbox Live service or PlayStation Network the console establishes client connections to the service. When hosting some games, or using some applications, a connection from the Xbox Live service or PlayStation Network inbound to the console is required. If these inbound connections can not be established then the console will report that strict NAT has been detected.
The consoles are compatible with uPnP devices to allow dynamic opening of TCP and UDP ports to forward traffic required for connectivity to the service. uPnP-enabled routers allow port forwarding to be configured on the device dynamically based on requests coming from internal devices. In a uPnP environment, the console will request the appropriate ports be forwarded to allow the traffic.
Palo Alto Networks firewalls are not compatible with uPnP. Requests from a console via uPnP to open ports will be ignored by the firewall. A 1-to-1 static NAT mapping must be created to forward the appropriate ports to the console from the Xbox Live service or PSN.
Further information on how the Xbox360 uses uPnP with NAT can be found here.
Resolution
Create a static NAT entry to forward all external traffic destined to a particular public IP to the private IP of the console.
Each console behind the firewall will require a public IP and an appropriate NAT mapping.
For information on how to configure a static 1-to-1 destination NAT policy, or bi-directional NAT mapping please refer to the Understanding PAN-OS NAT document.
owner: kfindlen