Interaction between Access rules and NAT
Access rules can have an impact on how NAT is applied to traffic.
The Access rules are always processed first. Depending on the type of Access rule, there can be the following processing behavior:
- Both NAT rules and element-based NAT definitions are processed.
- Both NAT rules and element-based NAT definitions are not processed.
- NAT rules are ignored, but some element-based NAT definitions are processed.
Figure: Access rules and NAT processes
- 1
- After an Access rule is processed, it is processed by NAT rules. If there are no matches in the NAT rules, the processing continues with element-based NAT definitions, if they have been defined in the properties of the NGFW Engine.
- 2
- If an Access rule has no NAT defined, such as an Access rule for Server Pool load balancing or for a policy-based VPN that does not have NAT applied to it, NAT rules and element-based NAT definitions are not processed.
- 3
- If the Access rule forwards traffic to a proxy or a host, NAT rules and destination NAT definitions are not processed. Source NAT definitions and default NAT are processed.
- 4
- If there are no matches in the NAT rules, the processing continues with element-based NAT definitions. Destination NAT definitions are processed first, then source NAT definitions are processed.
- 5
- If there are no matches for source NAT definitions, the processing continues with default NAT.
- 6
- If there are no matches for default NAT, NAT is not applied to the traffic.