Configuring NAT rules

Address translation is configured as part of the Firewall Policy using NAT rules.

NAT rules are configured on the IPv4 NAT and IPv6 NAT tabs in Firewall Policy and Firewall Template Policy elements. Firewall Sub-Policies cannot contain NAT rules.
Note: NAT rules are applied only after a packet matches an Access rule and is allowed by the firewall. The Access rule must have connection tracking enabled (default).

The following illustration shows a NAT rule that has just been inserted into a policy. The Source, Destination, and Service cells are set to <None> and they must be changed to something else for the rule to match any traffic. The Used on cell is also used for traffic matching: you can add specific Firewall elements to this cell to make the rule valid only on those firewalls, or you can leave it to the default ANY to make the rule valid on all firewalls where the policy is installed. The columns are in the default order, but you can drag and drop them to your preferred order.

Figure: Newly inserted NAT rule



1
A non-editable ID that indicates the order of the rules in the policy. The rules are matched against traffic in order. For example, rule 4.3 is the third rule added in this Firewall Policy element to the insert point that is the fourth NAT rule in the upper-level Template Policy element.
2
Matching criteria that defines the IP addresses and interfaces that the rule matches. You can use elements in the Network Elements category, as well as User and User Group elements, and elements related to endpoint information. You can also use Proxy Server elements in the Destination field. Both the Source and the Destination must match for the packet to match the rule. The addresses you insert must be valid. For example, static source address translation requires that the Source cell contains a single continuous IP address space.
3
Limits the scope of NAT rules to a specific protocol. You can use Service and Network Application elements.
4
The NAT that is applied to connections that match the rule. You can also set outbound load-balancing parameters. If left empty, address translation is not applied to matching connections. Use this to specify that NAT is not applied to matching connections, as an exception to other NAT rules.
5
Limits the scope of NAT rules based on the firewall where the rule is installed. This takes into account different addressing in different networks when a shared policy is used on several different firewalls.
6
You can add a comment for your own reference. You can also add separate comment rows between rules.
7
The optional name or description for the rule is displayed before the rule tag. The non-editable tag is a unique identifier for the rule that links log entries to the rule that generated the log entries. The rule tag has two parts separated by a period. The first part is permanent and belongs to only that rule. The second part changes when the rule is changed.
8
Shows the number of connections that have matched the rule. Only shown if you run a Rule Counter Analysis. Shows “N/A” if there is no information available.