» panos_nat_rule
This resource allows you to add/update/delete NAT rules.
Note: This resource has been deprecated. Please use
panos_nat_rule_group
instead.
Note: panos_nat_policy
is known as panos_nat_rule
.
The prefix sat
stands for "Source Address Translation" while the prefix "dat"
stands for "Destination Address Translation". The order of the params in
this resource and their naming matches how the params are presented in
the GUI. Thus, having a GUI window open while creating your resource
definition will simplify the process.
Note that while many of the params for this resource are optional in an absolute sense, depending on what type of NAT you wish to configure, certain params may become necessary to correctly configure the NAT rule.
» Example Usage
resource "panos_nat_rule" "example" {
name = "my nat rule"
source_zones = ["zone1"]
destination_zone = "zone2"
to_interface = "ethernet1/3"
source_addresses = ["any"]
destination_addresses = ["any"]
sat_type = "none"
dat_type = "static"
dat_address = "my dat address object"
}
» Argument Reference
The following arguments are supported:
-
name
- (Required) The NAT rule's name. -
vsys
- (Optional) The vsys to put the NAT rule into (default:vsys1
). -
rulebase
- (Optional, Deprecated) The rulebase. For firewalls, there is only therulebase
value (default), but on Panorama, there is alsopre-rulebase
andpost-rulebase
. -
description
- (Optional) The description. -
type
- (Optional). NAT type. This can beipv4
(default),nat64
, ornptv6
. -
source_zones
- (Required) The list of source zone(s). -
destination_zone
- (Required) The destination zone. -
to_interface
- (Optional) Egress interface from route lookup (default:any
). -
service
- (Optional) Service (default:any
). -
source_addresses
- (Required) List of source address(es). -
destination_addresses
- (Required) List of destination address(es). -
sat_type
- (Optional) Type of source address translation. This can benone
(default),dynamic-ip-and-port
,dynamic-ip
, orstatic-ip
. -
sat_address_type
- (Optional) Source address translation address type. This can beinterface-address
ortranslated-address
. -
sat_translated_addresses
- (Optional) Source address translation list of translated addresses. -
sat_interface
- (Optional) Source address translation interface. -
sat_ip_address
- (Optional) Source address translation IP address. -
sat_fallback_type
- (Optional) Source address translation fallback type. This can benone
,interface-address
, ortranslated-address
. -
sat_fallback_translated_addresses
- (Optional) Source address translation list of fallback translated addresses. -
sat_fallback_interface
- (Optional) Source address translation fallback interface. -
sat_fallback_ip_type
- (Optional) Source address translation fallback IP type. This can beip
orfloating
. -
sat_fallback_ip_address
- (Optional) The source address translation fallback IP address. -
sat_static_translated_address
- (Optional) The statically translated source address. -
sat_static_bi_directional
- (Optional) Set totrue
to enable bi-directional source address translation. -
dat_type
- (Optional) Destination address translation type. This should be eitherstatic
ordynamic
. Thedynamic
option is only available on PAN-OS 8.1+. -
dat_address
- (Optional) Destination address translation's address. Requiresdat_type
be set to "static" or "dynamic". -
dat_port
- (Optional) Destination address translation's port number. Requiresdat_type
be set to "static" or "dynamic". -
dat_dynamic_distribution
- (Optional, PAN-OS 8.1+) Distribution algorithm for destination address pool. The PAN-OS 8.1 GUI doesn't seem to set this anywhere, but this is added here for completeness' sake. Requiresdat_type
of "dynamic". -
disabled
- (Optional) Set totrue
to disable this rule. -
tags
- (Optional) List of administrative tags.