• There is Destination NAT rule configured on Firewall that has Pre-NAT address as an FQDN in Original Packet Tab.
• After the reboot from 9.0 upgrade, NAT rule translates the Destination address to random IP address.
• A commit will fix the issue but a new DNAT rule with same details will run into the same issue and will require another commit for fix.

admin@Lab> show running nat-policy

"InboundNAT-2; index: 2" {
        nat-type ipv4;
        from L3-Untrust;
        source any;
        to L3-Untrust;
        to-interface  ;
        destination 199.167.52.141;
        service 0:any/any/any;
        translate-to "dst: 3.3.3.3";
        terminal no;
}

admin@Lab> test nat-policy-match source 172.17.188.10 destination 199.167.52.141 protocol 6 destination-port 23

Destination-NAT: Rule matched: InboundNAT-2
199.167.52.141:23 => 202.170.55.144:23

admin@Lab>

• Palo Alto Networks Firewall
• PAN-OS 9.0.x
• Destination NAT utilized with pre-NAT FQDN updates.paloaltonetworks.com

1. If Pre-NAT address in Original Packet TAB is FQDN then select the translation type Dynamic.
2. If the Translated address is FQDN, an address object, or an address group then select the translation type Dynamic.

3. After changes, it started translating to correct IP address. This will continue to work fine even after the firewall reboots.

admin@Lab> test nat-policy-match source 172.17.188.10 destination 199.167.52.141 protocol 6 destination-port 23

Destination-NAT: Rule matched: InboundNAT-2
199.167.52.141:23 => 3.3.3.3:23

admin@Lab>

NAT Translated Packet Tab

Destination NAT rule translates to random IP