Why must the DNAT rule come before the SNAT rule in the NAT policy, and what happens if the order is wrong?
NAT policies evaluate top-down, first match wins (same as security rules). If a broader NAT rule sits above the DNAT rule, it matches the inbound packet first and the firewall stops — the destination is never rewritten to the internal server's IP, so the packet can't be delivered. DNAT must be placed above the broader rules to redirect the packet to the right internal IP.
* DNAT (specific) must sit above SNAT (broad) — first match wins. *
The matching order with DNAT first (correct):
1. Packet arrives: Source 1.2.3.4 (Internet) → Dest 199.0.0.10 (FW public IP)
2. NAT Rule 1 (DNAT) matches: rewrite dest to 192.168.0.100 (internal webserver)
3. Routing decision: forward packet to internal webserver ✓
The matching order with the broad rule first (wrong):
1. Packet arrives: Source 1.2.3.4 (Internet) → Dest 199.0.0.10 (FW public IP)
2. The broad/general NAT rule above the DNAT is evaluated first and matches.
First match wins → the firewall STOPS and never reaches the DNAT rule.
3. The destination is never rewritten to 192.168.0.100, so the packet has no
route to the internal server → the inbound connection fails.
The point isn't that SNAT "translates the source instead" — it's that first-match-wins: any broader NAT rule sitting above the specific DNAT rule consumes the packet, and the destination translation the server needs never happens.
The general rule — specificity:
"Es ist also wichtig, sehr spezifische Regeln oben zu definieren und sehr allgemein gehaltene unten."
This applies to:
- Firewall rules (security policy)
- NAT rules
- PBR (policy-based routing) rules
- Any top-down match-first system
DNAT rules are typically more specific (specific destination IP, specific service), while SNAT rules are broader (any internal source going outbound). Specific-before-general avoids the shadow rule problem.
The "shadow rule" problem:
Rule 1: Allow any → any → any ← matches everything
Rule 2: Deny attacker.com → bank.example.com ← never reached, "shadowed"
A specific rule below a broad rule never gets evaluated. The same applies to NAT.
A typical configuration instruction:
"Da wir die DNAT-Regel als zweite NAT-Regel konfiguriert haben, befindet sich diese auf Platz zwei der NAT-Policies. NAT-Regeln verhalten sich (analog zur Firewall) nach dem Top Down-Prinzip. Ändern Sie die Reihenfolge, damit die DNAT-Regel auf Platz eins steht."
Tip: When you write any kind of policy (NAT, FW, IDS), always test by reading the rules from top to bottom from the perspective of one specific packet — does the packet hit the rule you expect? If a broader rule matches first, your specific rule is "dead code" in the policy.
Go deeper:
NAT Policy Rules (Palo Alto PAN-OS) — the official rule: "evaluates the rules from the top down… once a packet matches a single NAT rule, the packet is not subjected to additional NAT rules," so order from most specific to least specific.