🚀Launch Week 04, May 13th - 17th, 2024!🚀
Steampipe Hub 
Hub
Plugins
turbot/panos
Overview
4Tables
Versions
GitHub
steampipe plugin install panos

Table: panos_nat_rule - Query Palo Alto Networks NAT Rules using SQL

A Network Address Translation (NAT) Rule in Palo Alto Networks is a policy that specifies how to translate the source and destination IP addresses of packets as they traverse through a device. These rules are essential for directing traffic correctly through firewalls and other network devices. They provide a means of modifying network address information in packet headers while in transit across a traffic routing device.

Table Usage Guide

The panos_nat_rule table provides insights into NAT rules within Palo Alto Networks. As a network administrator, explore rule-specific details through this table, including source and destination interfaces, translation types, and associated metadata. Utilize it to gain a comprehensive understanding of your network's traffic routing and to ensure the correct configuration of your NAT rules.

Examples

List disabled NAT rules

Discover the segments that consist of disabled NAT rules. This can help you identify potential security loopholes in your network, thereby enhancing its safety and efficiency.

select
  name,
  uuid,
  type
from
  panos_nat_rule
where
  disabled;
select
  name,
  uuid,
  type
from
  panos_nat_rule
where
  disabled = 1;

List NAT rules for a specific vsys

Explore the configuration of Network Address Translation (NAT) rules for a specific virtual system. This would be particularly useful for network administrators seeking to understand and manage the routing of network traffic within their system.

select
  name,
  uuid,
  type,
  disabled,
  tags
from
  panos_nat_rule
where
  vsys = 'vsys1';
select
  name,
  uuid,
  type,
  disabled,
  tags
from
  panos_nat_rule
where
  vsys = 'vsys1';

List NAT rules for a Panorama device group

Explore which NAT rules are active for a particular device group in a Panorama setup. This can help in identifying potential security risks or troubleshooting network issues.

select
  name,
  uuid,
  type,
  disabled,
  tags
from
  panos_nat_rule
where
  device_group = 'group1';
select
  name,
  uuid,
  type,
  disabled,
  tags
from
  panos_nat_rule
where
  device_group = 'group1';

Get count of NAT rules by distinct group tag

Identify the number of Network Address Translation (NAT) rules associated with each unique group tag. This can be useful for monitoring and managing network traffic routing configurations.

select
  case
    when group_tag is null then 'none'
    else group_tag
  end as group_tag,
  count(*) as count
from
  panos_nat_rule
group by
  group_tag;
select
  case
    when group_tag is null then 'none'
    else group_tag
  end as group_tag,
  count(*) as count
from
  panos_nat_rule
group by
  group_tag;

List NAT rules which contain any administrative tag with color yellow

Explore which NAT rules are tagged with an administrative marker of yellow color. This is useful for identifying specific configurations that may require attention or follow a certain administrative pattern.

with yellow_tags as (
  select
    name
  from
    panos_administrative_tag
  where
    color = 'color4' -- color4 :: Yellow
)
select
  panos_nat_rule.name,
  panos_nat_rule.type,
  panos_nat_rule.description
from
  panos_nat_rule
  join yellow_tags on panos_nat_rule.tags ? yellow_tags.name;
select
  panos_nat_rule.name,
  panos_nat_rule.type,
  panos_nat_rule.description
from
  panos_nat_rule
  join (
    select
      name
    from
      panos_administrative_tag
    where
      color = 'color4' -- color4 :: Yellow
  ) as yellow_tags on json_extract(panos_nat_rule.tags, yellow_tags.name) is not null;

List NAT rules which move packets between different zones

Uncover the details of NAT rules that facilitate packet transitions between distinct zones. This is useful in network management to identify potential areas of data flow and troubleshoot connectivity issues.

select
  name,
  source_zones,
  destination_zone
from
  panos_nat_rule
where
  not (source_zones ? destination_zone);
Error: SQLite does not support the '?'' operator used in PostgreSQL for checking if a value exists in an array.

List NAT rules which translate to unknown addresses

Determine the areas in which Network Address Translation (NAT) rules are translating to unidentified addresses. This is useful for identifying potential misconfigurations or security risks within your network infrastructure.

select
  name,
  dat_address
from
  panos_nat_rule
where
  dat_address not in (
    select
      name
    from
      panos_address_object
  );
select
  name,
  dat_address
from
  panos_nat_rule
where
  dat_address not in (
    select
      name
    from
      panos_address_object
  );

Schema for panos_nat_rule

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form, e.g. connection_name.
dat_addresstextSpecifies destination address translation's address. Possible values are: static or dynamic.
dat_dynamic_distributiontextSpecifies the distribution algorithm for destination address pool.
dat_portbigintSpecifies the destination address port.
dat_typetextSpecifies the destination address translation type. Values can be either static or dynamic. The dynamic option is only available on PAN-OS 8.1+.
descriptiontextThe NAT rule's description.
destination_addressesjsonbA list of destination address.
destination_zonetextThe NAT rule's destination zone.
device_grouptext=[Panorama] The device group location (default: shared).
disabledbooleanIndicates if a rule is disabled, or not.
group_tagtextThe NAT rule's group tag.
nametext=The NAT rule's name.
negate_targetbooleanIndicates if instead of applying the rule for the given serial numbers, it is applied to everything except them.
rule_basetext=[Panorama] The rulebase. For firewalls, there is only the rulebase value (default), but on Panorama, there is also pre-rulebase and post-rulebase.
sat_address_typetextSource address translation address type. Possible values are: interface-address or translated-address.
sat_fallback_interfacetextSpecifies source address translation interface.
sat_fallback_ip_addresstextSpecifies the source address translation fallback IP address.
sat_fallback_ip_typetextSpecifies source address translation IP type. Possible values are: ip or floating.
sat_fallback_translated_addressesjsonbA list of source address translation fallback translated address.
sat_fallback_typetextSpecifies source address translation fallback type. Possible values are: none, interface-address, or translated-address.
sat_interfacetextDescribes the source address translation interface.
sat_ip_addresstextDescribes source address translation IP address.
sat_static_bi_directionalbooleanIndicates whether bi-directional source address translation is enabled, or not.
sat_static_translated_addresstextSpecifies the statically translated source address.
sat_translated_addressesjsonbA list of translated address.
sat_typetextSpecifies the type of source address translation. Possible values are: none (default), dynamic-ip-and-port, dynamic-ip, or static-ip.
servicetextSpecifies the service (default: any).
source_addressesjsonbA list of source addresses.
source_zonesjsonbA list of source zone(s).
tagsjsonbA list of administrative tags assigned to the rule.
targetsjsonbA dictionary of target definitions.
to_interfacetextEgress interface from route lookup (default: any).
typetextThe type of NAT rule. Possible values are: ipv4 (default), nat64, or nptv6.
uuidtextThe PAN-OS UUID.
vsystext=[NGFW] The vsys to put the NAT rule into (default: vsys1).

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- panos

You can pass the configuration to the command with the --config argument:

steampipe_export_panos --config '<your_config>' panos_nat_rule