Yes, I know, it’s there everywhere on the net, but I still need to put it in shortest format as a reference for myself and “maybe” others.

The scenario is a Paloalto NGFW with two interfaces, one connected to public and one connected to DMZ or internal.

Under the “Security” policies, source zone is always the external one, and source addresses are either wildcard/country/specific; on destination, however, the zone will be DMZ but the address will be the external IP address on which you’re expecting to receive the traffic. Services running on the firewall itself are exceptions as the destination zone would be external as well.

Under the “NAT” policies it is simple. Both source and destination zones would be the external one. As for the address, it will be same as in security policy, with proper destination translation.

HTH,