# Palo Alto as a NAT Gateway
Use the instructions below to work with a Private Node group through Palo Alto.
### Prerequisites
To be able to use Palo Alto as NAT Gateway for Cluster on VKS system, you need:
* A **Windows server (VM)** has been initialized on the **vServer** system with the following configuration:
| Item | Configuration |
| ------------------- | ------------- |
| Flavor | 2x4 |
| Volume | 20GB |
| VPC | 10.76.0.0/16 |
| Subnet | 10.76.0.4/24 |
| Network Interface 1 | 10.76.0.3 |
* A **Palo Alto server (VM)** is initialized on the **vMarketPlace** system according to the instructions below with the following configuration:
| Item | Configuration |
| ------------------- | ------------- |
| Flavor | 2x8 |
| Volume | 60GB |
| VPC | 10.76.0.0/16 |
| Network Interface 1 | 10.76.255.4 |
| Network Interface 2 | 10.76.0.4 |
### Initialize Palo Alto
**Step 1:** Visit
**Step 2:** At the main screen, search for **Palo Alto , at Palo Alto** services , select **Launch** .
**Step 3:** Now, you need to configure **Palo Alto.** Specifically, you can select the desired **Volume, IOPS, Network, Security Group . You need to choose the same VPC and Subnet as the VPC and Subnet you choose to use for your Cluster.** In addition, you also need to select an existing Server Group or select **Dedicated SOFT ANTI AFFINITY group** so we can automatically create a new server group.
**Step 4:** Proceed to pay like normal resources on GreenNode.
***
### Configure parameters for Palo Alto
**Step 1:** After initializing Palo Alto from vMarketPlace according to the instructions above, you can access the vServer interface here [to](https://hcm-3.console.vngcloud.vn/vserver/v-server/cloud-server) check if the server running Palo Alto has been initialized. **Next, open the Any rule on the Security Group for the Palo Alto server you just created. Opening the Any rule on the Security Group will allow all traffic to the Palo Alto server.**
**Step 2: After the server running Palo Alto is successfully initialized** . To access the Palo Alto GUI you need a vServer running Windows. Then you access it using IP Internal Interface with the default login name and password: **admin/admin**
Note: Go to the Network section of vServer Windows to access the Palo Alto GUI. You need to create the same VPC and use a different subnet than the subnet with priority 1 when initializing Palo Alto
**Step 3** : After logging in, you need to change your password for the first time. Please enter a new password according to your wishes.
**Step 4:** You need to create 1 Zone Inside and 1 Zone Outside according to the instructions below:
* Select **Add pen**
* Name **the Zone** : **Inside** then select **OK**
* Do the same for **Zone Outside**
**Step 5** : Configure **External Interface**
* Interface Type: **Layer 3**
* Virtual Router: **default**
* Security Zone: **Outside**
* Switch to **IPv4 Tab** and select **Add** to enter **Static IP** for **External Interface**
* To get this IP information, go to **Palo Alto** 's **Network Interface** section to view the information
* Switch to the **Advanced** tab , in the **MTU** section you need to set it to **1400**
**Step 6:** Perform similar configuration for **Internal Interfaces**
* At the **IPv4 tab:** you proceed to set up **Static IP**
* Switch to the **Advanced** tab , in the **MTU** section , set it to 1400
**Step 7:** Create **static route**
* Go to **Network** -> **Virtual Routers** -> Select **default** -> Switch to **Static Routes**
* Create a **route** as shown below
**Step 8:** Create **Security Policy Rule**
* Go to **Policies** -> **Security** -> **Add**
* On the **General** tab , you need to name the rule
* At the **Source** tab , set information such as **Source Zone** , **Source Address** , **Source User, Source Device**
* At the **Destination** tab , set information such as **Destination Zone, Destination Address, Destination Device**
* At the **Application** tab , set information such as **Application, Depend On**
* At the **Service/URL Category** tab , set information such as **Service, URL Category**
* At the **Actions** tab , set information such as **Action, Log, Profile, Other Settings**
**Step 9** : Create **a NAT rule** so that VMs can go out to the Internet
* Go to **Policies** -> **NAT** -> **Add**
* On the **General** tab , name **the NAT rule**
* At the **Original Packet** tab, select **Source Zone, Destination Zone, Destination Interface, Service, Source Address, Destination Address**
* Create the **Translated Packet** tab and perform configuration as shown below
Note: Need to change **the IP Address to the Static IP** address that you configured in step 6
**Step 10** : Proceed **to Commit**
***
### Initialize Route Table
After Palo Alto is successfully initialized and configured, you need to create a Route table to connect to different networks. Specifically, follow these steps to create a Route table:
**Step 1:** Visit
**Step 2:** In the navigation menu bar, select **Network Tab/ Route table.**
**Step 3:** Select **Create Route table.**
**Step 4:** Enter a descriptive name for the Route table. Route table names can include letters (az, AZ, 0-9, '\_', '-'). The input data length is between 5 and 50. It must not include leading or trailing spaces.
**Step 5:** Select **VPC** for your Route table. If you do not have a VPC, you need to create a new VPC according to the instructions on [the VPC Page](https://docs.vngcloud.vn/pages/viewpage.action?pageId=49648039) . **The VPC used to set up the Route table must be the VPC selected for your Palo Alto and Cluster.**
**Step 6** : Select **Create** to create a new Route table.
**Step 7:** Select the newly created Route table then select **Edit Routes.**
**Step 8:** In the add new **Route** section , enter the following information:
* For Destination, enter **Destination CIDR as 0.0.0.0/0**
* For Target, enter **Target CIDR as the Palo Alto Network Interface 2 IP address.**
For example:
***
### **Checking connection**
* Proceed to ping 8.8.8.8 or google.com
