Port Forwarding for Palo Alto Firewalls


I recently purchased a Palo Alto PA-220 for home use, labbing, and studying as well. Setup went pretty straight forward with a bit of trial and error, but then I started going a little deeper. I wanted to run a home-hosted version of ownCloud and needed to setup the port-forwarding to allow public access. I was thinking of this all with my very Cisco-focused mindsets and had some issues. Then I was able to figure it out.

Port Forwarding Configuration Process

There are two main steps to port forwarding and allowing public access to an outside server.

  1. NAT Rule to allow the actual port-forwarding
  2. Access Policy Rule to permit the access to the internal server

NAT Rule

Starting with the NAT rule, I wanted to direct port TCP/443 (HTTPS) from my public IP address to the new ownCloud server in my DMZ. NAT rules are pretty quick to set up, so here’s exactly how I did so:


In the screen above, the object on the right side for “Destination Address” can be one of two things: your outside public IP address or in my case, a FQDN that resolves this public IP. Be sure to include the service or port under the “Service” drop-down as well.

On this next screen for the “Translated Packet” set the translation type to Static and then the translated address to the internal IP of the server or device in question you are port forwarding to.

Access Rule

Now that the port is forwarded to your inside or DMZ host in my case, you need to setup the access policy rule to actually permit access to that inside device. This is where my issues in the beginning stemmed from. If you are coming from the Cisco side of things, you will understand.

Once your new rule is created, set your source. You can set the source zone as Outside, or even leave as Any if you would like depending on your setup.

Next, set the destination info. For the destination zone, I chose DMZ because that is where this server resides. Then for destination address I used my object for my public IP \ outside interface I used before. This is the difference in mentality that I referred to. In Cisco-terms of things, your access rule specifies the internal IP, but in this case, I have to permit access to my PUBLIC IP on that port. That was the hangup in the beginning and once changed, things began working instantly.

Next is where the service/url category is chosen. As in the case of my port-forwarding rule, I selected TCP/443 (HTTPS). I want that port made available publically to the internal ownCloud server.

Lastly, select the actions of the rule and other things such as threat protection, logging, etc. I chose to allow this traffic the rule described and then run it through various protections, such as threat, spyware, and WildFire.

That’s all there is to it! Quick process overall with a few important links that need to have the proper attention paid to them. If you have any questions or hit any hiccups, post below!


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.