1. dynamic 1-to-1 translation public pool IP mapped to bigger private pool IP
2. CLI verification
2.1. show running ippool
2.2. show running nat-policy
2.3. test nat-policy-match
3. Demo
3.1. Create DMZ server running http service
3.2. Create loopback in FW
3.2.1. e.g 10.10.10.1/32
3.3. Create manual route from Desktop to next hop unTrust interface
3.4. Test from unTrust
3.5. Leverage
3.5.1. Port forwarding
3.5.2. uTurn NAT
4. not supported on Dynamic Interface
4.1. DHCP or PPoE
5. Original Packet
5.1. Source Zone
5.2. Destination Zone
5.2.1. Depend on FIB decision
5.3. Destination Interface
5.4. Source Address
5.5. Destination Address
5.6. Service
6. Translated Packet
6.1. Source Translation
6.2. Destination Translation
6.2.1. Be careful on the translated zone post NAT
6.2.1.1. Will be the zone that configured on security policy
7. IPv6 Feature
7.1. Capabilities
7.1.1. L3 interface
7.1.2. Static Routes in VR
7.1.3. ICMPv6
7.1.3.1. DHCPv6
7.1.4. ND
7.1.5. Dual Stack
7.1.6. SLAAC
7.1.7. Radius
7.2. Matrix
7.2.1. Not supported
7.2.1.1. Dynamic Routing
7.2.1.2. IPSec VPN
7.2.1.2.1. SSL VPN
7.2.2. Supported
7.2.2.1. IPv6 over IPv4 IPsec tunnel
7.3. IPv6 ND
7.3.1. DAD
7.3.1.1. Connections to PAN update server and BrightCloud server require IPv4
8. NAT Policy
9. OSPFv3
9.1. ECMP is not supported
9.2. No "clear"
9.3. One instance ID per OSPFv3 interface
9.4. Not support fast-hellos
9.5. Comparison with OSPFv2
9.5.1. OSPFv3 support Link-LSA and Intra-Area-Prefix LSA
9.5.2. Protocol Processing per-link not per-subnet
10. NAT
10.1. Source NAT
10.1.1. Used for internal users to access the internet
10.1.1.1. Dynamic IP/Port (PAT)
10.1.1.1.1. multiple client
10.1.1.1.2. assigned address
10.1.1.1.3. Source port is changed
10.1.1.2. Dynamic IP
10.1.1.2.1. Private source IP look for the available public IP
10.1.1.2.2. Source port is unchanged
10.1.1.3. Static IP
10.1.1.3.1. 1-to-1 fixed translation
10.1.1.3.2. Source port unchanged
10.2. Destination NAT
10.2.1. provide external access to company public servers
10.2.1.1. static IP
10.2.1.2. Port Forwarding
10.2.1.2.1. single public IP
10.2.1.2.2. destination port can be directed to different destination ports
10.3. Nat64
10.4. BiDirectional NAT
10.5. Security policy
10.5.1. match
10.5.1.1. pre- NAT IP address
10.5.1.2. post NAT zone
10.6. Flow Logic
11. Virtual Router
11.1. Routing instances in the FW for L3 routing funcionality
11.1.1. Pre-configured : Default Virtual FW
11.2. L3 interface
11.2.1. assigned to 1 VR
11.3. Static Route
11.3.1. VRouter cannot have overlapped subnet allocation
11.3.1.1. Demo
11.3.1.1.1. Static Route to Another VR
11.3.1.1.2. Explanation on subnet cannot be duplicate
11.3.2. Next Hop IP
11.3.2.1. Interface
11.3.2.1.1. another VR
11.4. Dynamic Routing
11.4.1. RIPv4
11.4.2. BGPv4
11.4.3. OSPFv2
11.4.3.1. OSPFv3
11.5. PBF
11.5.1. Overrides forwarding decision on VR
11.5.2. Create condition
11.5.2.1. Source address
11.5.2.1.1. Destination Address
11.5.2.2. Source Zone
11.5.2.2.1. Destination application
11.5.2.3. Source User
11.5.2.3.1. Destination Service
11.5.3. Reverts to VR
11.5.3.1. If the PBF destination is unreachable
12. Interface Mgmt Profile
12.1. Network > Network Profiles > Interface Mgmt
12.2. ACL
12.2.1. Permitted IP address
13. L3 interfaces
13.1. Provide routing and NAT
13.1.1. Devices on the same Virtual Router use the same Routing Table
13.2. Flow Logic
13.2.1. PBF/Forwarding lookup
13.2.1.1. Consult Virtual Router RT
13.2.2. NAT Policy Evaluated
13.2.2.1. Not apply the NAT yet
14. Service Route Configuration
14.1. Use non-mgmt - standard traffic interface
14.1.1. To handle management traps
14.1.1.1. snmp
14.1.1.2. syslog
14.1.1.3. email ,etcs
14.2. Device > Setup > Services
14.2.1. Service Features
14.3. DNS and NTP
14.3.1. NTP CLI
14.3.1.1. show ntp
14.3.1.2. show clock
14.3.1.3. debug software ntp
14.3.1.3.1. manually restart ntp process
15. DHCP
15.1. Server
15.1.1. Mode
15.1.1.1. Enable
15.1.1.2. Disable
15.1.1.3. Auto
15.1.1.3.1. disable if detect another DHCP server in network
15.1.2. Can be used in IPsec tunnel
15.2. Relay
15.2.1. Forward up to 4 DHCP server
16. QoS
16.1. QoS Steps
16.1.1. 1. Qos Policy Rule
16.1.1.1. Policy
16.1.1.1.1. Identify traffic into class
16.1.2. 2. QoS Profile
16.1.2.1. Network > QoS Profile
16.1.2.2. Give class BW/Priority
16.1.2.2.1. Ex
16.1.3. 3. Apply QoS profile to Egress Interface
16.1.3.1. Network > QoS
16.1.3.2. QoS Interface
16.1.3.2.1. Clear Text Traffic
16.1.3.2.2. Tunneled Traffic
16.1.3.3. If we adjust configuration in the Tab, the physical interface configuration will not be used
16.1.4. 4. Apply the policy marking to MPLS provider (DSCP, IP Precedence) in the security policy
16.2. 4 Queues
16.2.1. Real-Time
16.2.2. High
16.2.3. Med
16.2.4. Low