7.2.1. NAT rules

In most cases, provision of the Internet access to users will require creating at least one NAT rules from the Trusted zone to the Untrusted zone.

Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons.

Important! The rule will be applied only when all its specific conditions are met. The Negate checkbox makes the condition opposite to the initial condition, i.e. corresponds to logical negation (NOT).

To create a new NAT rule, click Add in the Network policies--> NAT and routing section and specify the following parameters.

A rule is triggered only when all its criteria are met.

Name

Description

Enabled

Enables or disables a rule

Name

Rule name

Comment

Description of a rule

Type

Select NAT

Enable logging

Logs information about traffic when a rule is triggered. The following modes can be used:

  • Log session start. Only first packet will be logged for every session. This is recommended setting for logging.

  • Log all packets. Every network packet will be logged. It is recommended to enable logging limit to avoid high system utilization for this mode.

SNAT IP address (external IP)

Set IP address which will be used as source address for natted network packets. Make sense if there are several IP addresses assigned to the interfaces of destination zone. If field is empty then arbitrary address of destination zone will be used.

For higher firewall performance, it is recommended that you provide SNAT IP explicitly.

Enable logging

Logs information about traffic when a rule is triggered. It is recommended to enable logging limit to avoid high system utilization.

Source

A source zone and/or a list of source IP addresses for the traffic.

Destination

A destination zone and/or a list of destination IP addresses for the traffic.

Services

Service type, e.g. HTTP, HTTPS, etc.

Important! It is recommended that you create global NAT rules, e.g. a single NAT rule from your local network (i.e. Trusted zone) to the Internet (i.e. Untrusted zone), and then define access policies for users, services and applications through firewall rules.