Add NAT definitions for element-based NAT

NAT definitions define the NAT addresses for elements.

When you add a NAT definition to an engine, the NAT definition is also added to the elements that are included in the engine’s NAT configuration. You primarily configure NAT definitions in the Engine Editor. It is also possible to configure NAT definitions in a network element’s properties, depending on your permissions in the Domain to which the elements belong.

NAT definitions are automatically arranged in order from most specific to least specific: manually added NAT rules, then NAT definitions, and finally default NAT. If there is not a more specific match after the NAT rules, and the NAT definitions are checked, default NAT is used. This means that NAT rules that are generated from NAT definitions and from using the Default NAT Address do not override the rules that you have manually added to the Firewall Policy.

Note: You must refresh the Firewall policy on the engine after you have edited the NAT definition of any element to transfer the changes.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click an engine element and select Edit <element type>.
  2. In the navigation pane on the left, browse to Policies > Element-based NAT.
  3. (Optional) Select Use Default NAT Address for Traffic from Internal Networks to use the default NAT address as the Public IP Address if there is not a more specific NAT definition that matches the traffic.
    When you select this option, a NAT rule is generated at the end of the NAT rules in the Firewall Policy. If no NAT rule matches the traffic, no NAT is applied unless you enable the Default NAT Address.
    Note: Rules generated from NAT definitions are not displayed in the Firewall Policy.
  4. (Optional) Click Show Details to view the Default NAT Address properties.
  5. Click Add NAT Definition.
  6. Select Static or Dynamic as the Translation Type.
  7. Select an element as the Private IP Address.
    Note: Only Host, Server, or Network elements are allowed with static NAT.
  8. Select one of the following as the Public IP Address.
    • Default NAT Address
    • Element
    • Interface
    • IP Address
  9. (Optional) Click Add to add elements as Port Filters.
  10. Click OK to save the NAT definition.
    NAT rules for element-based NAT are generated automatically, and are added to the Firewall Policy of the engine that uses the NAT definition in its configuration.
  11. Click Save and Refresh.

Engine Editor > Policies > Element-based NAT

Use this branch to add NAT definitions for element-based NAT. The NAT definition is also added to the elements that are included in the NAT configuration.

Option Definition
Use Default NAT Address for Traffic from Internal Networks

(Optional)

The NGFW Engine uses the default NAT address as the public IP address if there is not a more specific NAT definition that matches the traffic. When you select this option, a NAT rule is generated at the end of the NAT rules in the policy. If no NAT rule matches the traffic, no NAT is applied unless you enable the Default NAT Address.
Show Details Opens the Default NAT Address Properties dialog box.
Add NAT Definition Creates a NAT Definition element and opens the element properties.
Edit NAT Definition Opens the properties of an existing NAT Definition element.
Remove NAT Definition Removes the selected row from the table.

Default NAT Address Properties dialog box

Use this dialog box to view the internal networks associated with the Default NAT address.

Option Definition
Default NAT Address Used to automatically translate traffic from internal networks to the public IP address of the external interface.
Note: When several IP addresses from the same network are available, the SMC automatically selects the smallest IPv4 address as the default NAT address.
Internal Networks Shows the internal networks that are translated to the public IP address of the external interface.

NAT Definition Properties dialog box

Use this dialog box to define NAT Definition properties.

Option Definition
Translation Type Select the translation type.
  • Static — Static network address translation is used. For each original address there is a single, predefined translated address.
  • Dynamic — Dynamic network address translation is used. Dynamic NAT uses ports to track connections using the same IP address.
Private IP Address The element that represents the private IP address. Click Select to select an element.
Public IP Address Select the source of the public IP address.
  • Default NAT Address — The default address is used as the public IP Address.
  • Element — Click Select to select an element that represents the IP address.
  • Interface — Select an interface.
  • IP Address — Manually enter an IP Address.
Port Filter

(Optional)

To limit NAT only to traffic that goes to selected destination ports, select a Service or Service Group element to act as a port filter. The Service or Service Group element includes the destination port information (a single destination port or a range of ports). Click Add to add an element to the list, or Remove to remove the selected element.
Comment

(Optional)

A comment for your own reference.