Element-based NAT and how it works

With element-based NAT, you select which elements have their own NAT address and define the NAT addresses for those elements.

Note: Element-based NAT is not intended for complex network environments. In more complex network environments, we recommend adding NAT rules to the Firewall policy.

What element-based NAT does

You can add NAT definitions to the following types of elements:

  • NGFW Engines — Single Firewalls, Firewall Clusters, Master NGFW Engines, and Virtual Firewalls
  • Servers — Active Directory Servers, Proxy Servers, DHCP Servers, ePO Servers, External DNS Servers, ICAP Servers, LDAP Servers, Log Servers, Management Servers, NTP Servers, RADIUS Authentication Servers, SMTP Servers, TACACS+ Authentication Servers, and Web Portal Servers
  • Some elements in the Network Elements branch of the Configuration view, for example, Address Ranges, Groups, Hosts, Networks, and Routers.

In addition to using element-based NAT, you can manually add NAT rules to the Firewall Policy if you want to configure NAT in more detail. Remember, however, that a more specific manually created NAT rule might prevent traffic from matching NAT rules that are automatically generated from NAT definitions. For more information about manually adding NAT rules, see the topic that explains how firewall NAT rules work.

You can also use a default NAT address for all internal networks to automatically translate traffic from internal networks to the public IP address of the external interface. This can be useful, for example, in simple network environments. Default NAT can only be selected in the engine properties.

Note: When several IP addresses from the same network are available, the SMC automatically selects the smallest IPv4 address as the default NAT address.

An internal element that has a static NAT definition can be used in the Destination cell of an Access rule. Traffic also matches the destination IP address that corresponds to the element’s public IP address in the NAT definition.

What do I need to know before I begin?

  • NAT rules are automatically generated and organized in the Firewall Policy based on the NAT definitions created in the element properties.
  • NAT rules generated from NAT definitions are not visible in the Firewall Policy, and are applied after the NAT rules that you have added manually to the policy.
  • The SMC automatically generates both the source and destination NAT rules from the NAT definitions.