Create outbound load-balancing NAT rules

To balance outbound connections between the NetLinks, define NAT rules using the source NAT addressing defined in the Outbound Multi-Link element.

You can create several Outbound Multi-Link elements to balance different types of traffic differently. If you do not want to balance some traffic, direct the traffic through a specific NetLink with a normal NAT rule before the balancing rule.

You activate Multi-Link for outbound connections in the Firewall Policy with NAT rules that match certain traffic for Outbound Multi-Link address translation. Other NAT rules can translate the source addresses in outbound connections to the IP address space of a particular ISP. The traffic is automatically routed through a particular link, even if the link fails. Only the part of traffic that matches a NAT rule with the Outbound Multi-Link element is balanced between different links.

Some protocols cannot use dynamic NAT based on IP/port translation. To provide high availability and load balancing for these protocols, you can use static NAT with an Outbound Multi-Link element in an outbound load-balancing NAT rule. When static NAT is used, the size of the source network must be the same as the size of the Multi-Link network.

Note: If you use element-based NAT, NAT rules are automatically generated. In addition, you can use an Outbound Multi-Link element as a NAT address in a NAT definition.

  For more details about the product and how to configure features, click Help or press F1.


  1. Select Configuration.
  2. Browse to Policies > Firewall Policies.
  3. Right-click a Firewall Policy and select Edit.
  4. On the IPv4 NAT tab, add a rule.
  5. Specify the source, destination, and service according to the traffic that you want to balance using an Outbound Multi-Link element.
  6. Double-click the NAT cell.
  7. On the Source Translation tab, select Dynamic from the Translation Type drop-down list.
  8. Click Select next to the IP Address Pool field.
  9. Browse to Traffic Handlers, then select the Outbound Multi-Link element.
  10. (Optional) In the First Port to Use and Last Port to Use fields, enter port numbers for source port translation.
    The default is to use all “free” high ports from 1024–65535.
    Note: Make sure that the IP address pool and port range are large enough to translate the number of simultaneous connections that match this NAT rule.
  11. To generate proxy ARP entries, select Automatic Proxy ARP (Recommended).
    For proxy ARP to work, the untranslated IP address of all hosts whose IP address is translated must be included in the routing tree. There must be a CVI with an address from the same network in the Firewall element’s properties. Otherwise, the Network or Host must be manually added to the routing tree.
  12. Click OK.
  13. Click Save and Install.