NAT policies stop working after upgrading to PAN-OS 10.2.8 or later

• Unbound NAT Pool: The configured NAT address pool utilizes IP addresses that are not explicitly assigned to (or bound to) any interface on the firewall.
• Successful Primary ARP: The upstream router correctly resolves and displays the ARP entry for the firewall’s physical interface IP address.
• Failed NAT ARP: The upstream router does not show any ARP entries for the IP addresses contained within the NAT pool.
• Dropped ARP Requests: A packet capture confirms that ARP requests sourced from the upstream router for the NAT pool addresses are reaching the firewall but are being dropped/ignored. (Refer to How to capture ARP packets for verification details).

• Palo Alto Firewalls
• PAN-OS 10.2.8 and above
• PAN-OS 11.1.0 and above
• Network Address Translation (NAT)

• In PAN-OS 10.2.8 strict checking for proxy-arp for NAT translated IPs is enforced.
• Firewall will only send an ARP reply for a NAT pool IP if the target IP in the ARP request and the ingress interface IP are in the same subnet.

• NAT address pools are not bound to any interfaces. The following figure illustrates the behavior of the firewall when it is performing proxy ARP for an address in a NAT address pool

• The firewall performs source NAT for a client, translating the source address 10.1.1.1 to the address in the NAT pool, 192.168.2.2. The translated packet is sent on to a router.
• For the return traffic, the router does not know how to reach 192.168.2.2 (because that IP is just an address in the NAT address pool), so it sends an ARP request to the firewall.
  • If the address pool address 192.168.2.2 is in the same subnet as the egress / ingress interface IP 192.168.2.3/24, the firewall sends a proxy ARP reply to the router, indicating the Layer 2 MAC address of that IP.
  • If the address pool IP is not part of a subnet on an interface on the FW, the firewall will not send a proxy ARP reply to the router.

To restore connectivity, use one of the following methods:

Option A: Firewall Configuration (Secondary IP)
Configure the NAT pool IP address as a secondary IP on the firewall's external interface.

1. Go to Network > Interfaces > Ethernet and select the external interface.
2. In the IPv4 tab, add the NAT IP (e.g., [NAT IP]/32).
3. Commit the changes.
This explicitly defines the IP as belonging to that interface, satisfying the subnet validation check.

Option B: Upstream Router Configuration (Static Route)
Configure a static route on the upstream device (e.g., ISP router or core switch).

1. Create a route for the NAT IP or pool.
2. Set the Next Hop as the firewall’s physical interface IP.
This routes traffic directly to the firewall’s MAC address at Layer 3, bypassing the need for Proxy ARP.