Palo Alto Networks Knowledgebase: Palo Alto Networks Firewalls & gaming consoles (xbox, Playstation,..) - Strict NAT

Palo Alto Networks Firewalls & gaming consoles (xbox, Playstation,..) - Strict NAT

8572
Created On 02/07/19 23:58 PM - Last Updated 02/07/19 23:58 PM
Policy
Resolution

Symptoms

XBox or Playstation games & applications are not able to connect to Xbox Live/PlayStationNetwork due to strict NAT being detected

Issue

When connecting to the Xbox Live service or PlayStation Network the console establishes client connections to the service.  When hosting some games, or using some applications, a connection from the Xbox Live service or PlayStation Network inbound to the console is required. If these inbound connections can not be established then the console will report that strict NAT has been detected.

The consoles are compatible with uPnP devices to allow dynamic opening of TCP and UDP ports to forward traffic required for connectivity to the service. uPnP-enabled routers allow port forwarding to be configured on the device dynamically based on requests coming from internal devices. In a uPnP environment, the console will request the appropriate ports be forwarded to allow the traffic.

Palo Alto Networks firewalls are not compatible with uPnP.  Requests from a console via uPnP to open ports will be ignored by the firewall. A 1-to-1 static NAT mapping must be created to forward the appropriate ports to the console from the Xbox Live service or PSN.

Further information on how the Xbox360 uses uPnP with NAT can be found here.

Resolution

Create a static NAT entry to forward all external traffic destined to a particular public IP to the private IP of the console.

Each console behind the firewall will require a public IP and an appropriate NAT mapping.

For information on how to configure a static 1-to-1 destination NAT policy, or bi-directional NAT mapping please refer to the Understanding PAN-OS NAT document.

owner: kfindlen



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CldoCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language