Hi Ricardo, thanks for the another quality video on palo. The details in the video shows your hands on experience on the platform. I would suggest to have couple of videos on global protect where you can show the Wireshark capture when internal gateway and external gateways are in use and to clearly distinguish how the tunnel is being created and packet details when connecting to external gateway along with traffic flow to specific destination with split tunnel configuration options
This was great and informative. I am hoping to deploy this very soon. Does the Palo encrypt the data once it has inspected it and sends it to the final destination? I'll search the PA KBs in support but I'm just wondering how the last leg of data is handled. For topics I would like to see a video on HA Active / Active with shared resources and converged NAT table to eliminate the need for Source NAT when a resource is available via two external gateways.
Hi. In my lab, my internet router does the NAT for the server. But yes, either you have a server that is accessible through the internet (public IP), or some device needs to do NAT. It can be the Palo Alto firewall, but it doesn't have to be.
In case of NAT on PA in Decryption Policy you should specify the preNAT port (in case you changed it e.g. 8443 -> 443) and preNAT IP (e.g. outside interface public IP) in address field. It may be not that obvious. Moreover you can omit the destination IP address and it will work - PA will just check the Certificate in Dec. Profile.
![Palo Alto SSL Inbound Inspection with Let's Encrypt Certificate [2024]](/img/logo.svg){kind=logo}
