Getting started with NAT rules

Network address translation (NAT) replaces the source or destination IP addresses in packets with other IP addresses. NAT rules define how NAT is applied to traffic.

NAT rules are matched to allowed connections after Access rule matching. NAT is applied before a routing decision is made, so the address translation can affect how the traffic is routed. NAT can be applied to IPv4 and IPv6 traffic. Firewalls, Master NGFW Engines, and Virtual Firewalls can use NAT rules.
Note: Master NGFW Engines always use Firewall Policies regardless of the role of the Virtual NGFW Engines they host. Virtual Firewalls use Firewall Policies.

In addition to manually configured NAT rules, you can also use element-based NAT to define how firewalls translate network IP addresses. The NAT rules generated from NAT definitions are applied only after the NAT rules that you have added manually to the policy. This means that the NAT rules that are generated from NAT definitions do not override the rules that you have manually added to the policy.

You can define the following types of NAT:

  • Static source NAT — Typically translates the internal (“real”) IP address of an internal host to a different IP address in the external network.
  • Static destination NAT — Typically translates the public IP address of an internal host to the private IP address, so that the host (server) can receive new connections from external hosts. Allows IP address or port translation (PAT), or both.
  • A combination of both static source NAT and static destination NAT — Typically translates both the Source and Destination IP address in the same connection. Used, for example, to allow internal hosts to access your organization’s public servers using the public IP addresses of both the client and the server.
  • Dynamic source NAT — Typically translates the internal IP addresses of several internal hosts to one or a few external IP addresses. Used to hide the internal network structure from outsiders and to avoid acquiring a separate public IP address for each of the hosts.
Note: Dynamic destination NAT can be configured for IPv4 traffic as part of the Server Pool feature, but not in NAT rules.

The following general guidelines apply when you add NAT rules:

  • NAT rules only apply to connections that are handled statefully (Connection Tracking option is enabled in the Access rule that allows the connection).
  • NAT rules are applied to whole connections. Reverse NAT for reply packets is automatic, so you do not need to define rules for replies within a connection.
  • Connections are matched against NAT rules with the same type of matching criteria as other types of rules. The first matching NAT rule is applied and any other NAT rules are ignored. To prevent a NAT rule from matching some connections, create a NAT rule that specifies no translation for those connections and place it above the rule that matches.
  • By default, NAT rules are ignored for traffic that enters or leaves a VPN tunnel. To match such traffic against NAT rules, enable NAT in the VPN Gateway element’s properties.
  • Routing decisions are made after NAT, so remember that translating the destination address can affect how the traffic is routed. If the translated IP addresses are not included in existing definitions, you might need to add the translated IP addresses to the Routing tree.
  • If you install the Firewall Policy with the Keep Previous Configuration Definitions option selected, previous NAT rules are kept until all currently open connections that use those rules are closed. In some cases, the old and the new rules can conflict and prevent policy installation until the option is deactivated.

Application routing

NAT rules for application routing match based on the network application that is detected in the traffic. When you use NAT rules for application routing, you can apply different NAT rules to traffic, and redirect traffic to different proxy servers depending on the network applications detected in the traffic. For example, you can:

  • Exclude specific network applications from being redirected to proxy servers.
  • Direct some network applications to one proxy server, and direct the rest of the traffic to another proxy server.
Note: The supported protocols depend on the proxy server to which traffic is forwarded.

When using NAT rules for application routing, you can only use Network Application elements that have the Application Routing tag. In addition, URL List Application elements are not supported.

Important: After the routing decision has been made, the NGFW Engine might later identify a different application in the connection. If the application that is detected would cause a different routing decision to be made, the connection might be discarded.