What is the PrismaAccess-Allow-Internet rule appearing in logs?

• Started seeing new traffic logs matching a rule called 'PrismaAccess-Allow-Internet' which we didn't create.
• Source IP address is unfamiliar and classified as a class E.
• Logs show traffic allowed from 'inter-fw' zone to 'untrust' zone.
• The rule 'PrismaAccess-Allow-Internet' seems to be a built-in rule and was never configured by the customer.

• Prisma Access: 3.2
• PANOS: 10.2.4
• NGPA (Nat Gateway Prisma Access)

• The logging is due to traffic from the Mobile User Gateway (MU-GW) being routed through a NAT instance, as part of the IP Optimization feature in Prisma Access.
• The NAT instance uses a source IP address that is automatically generated and is not expected to be familiar to the customer.
• This traffic is then logged with the source zone as 'inter-fw' because the NAT instance is in that zone, and the untrust zone as destination when the traffic is allowed to reach public IP addresses.
• This NAT layer is enabled when there are multiple MU-SPNs deployed in the compute region and IP Optimization is enabled.
• The rule 'PrismaAccess-Allow-Internet' is a built-in rule and not configured directly by the customer.
• This is working as expected.

"Nat Layer" is enabled which means the traffic for the mobile user instance go through a NAT instance for source NAT before getting routed to the internet.