12.9.2. Configuring NAT and routing rules

You configure NAT and routing rules at the network-policy nat-routing level. For more details on the command structure, see Configuring Rules Using UPL.

12.9.2.1. Configuring NAT rules¶

To configure a NAT rule, specify the following parameters:

Parameter	Description
PASS OK	Action to create a rule using UPL.
enabled	Enable/disable a rule: enabled(yes) or enabled(true). enabled(no) or enabled(false).
name	NAT rule name. Example: name("NAT rule example").
desc	A description of the rule. Example: desc("NAT rule example set via CLI").
nat	Rule type (specified in the rule properties).
snat_target_ip	IP address to replace the source address when NATting packets. Specify the address in "", e.g. snat_target_ip ("1.1.1.1").
rule_log	Log traffic information if the rule is triggered. The available options are: rule_log(no) or rule_log(false): disable logging. If rule_log is not specified, logging is disabled. rule_log(session): log the start of the section.
src.zone	Traffic source zone. To specify a source zone, such as Trusted: src.zone = Trusted. For more details about configuring zones using the CLI, see Zones.
src.ip	Add lists of source IP addresses, MAC addresses, and domains. Example for IP addresses: src.ip = lib.network(). Specify the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see Configuring IP addresses. Example for domains: src.ip = lib.url(). Specify the URL to which necessary domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see Configuring URL lists. To specify source MAC addresses, such as 02:00:00:00:00:00: use src.ip = 02:00:00:00:00:00.
dst.zone	Traffic destination zone. To specify a traffic destination zone, such as Untrusted: dst.zone = Untrusted. For more details about configuring zones using the CLI, see Zones.
dst.ip	Add lists of destination IP addresses, MAC addresses, and domains. To specify an IP address list: dst.ip = lib.network(). Specify the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see Configuring IP addresses. To specify a domain list: dst.ip = lib.url(). Specify the URL to which the necessary domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see Configuring URL lists. To specify destination MAC addresses, such as 02:00:00:00:00:00: use dst.ip = 02:00:00:00:00:00.
service	Service type. You can specify a service or a services group (for more details, see Configuring services and Configuring service groups). To specify a single service: service = "service name". To specify multiple services: service = (service-name1, service-name2, ...). To specify a services group: service = lib.service(). Provide the services group name in parentheses.

12.9.2.2. Configuring DNAT rules¶

To configure a DNAT rule, specify the following parameters.

Parameter	Description
PASS OK	Action to create a rule using UPL.
enabled	Enable/disable a rule: enabled(yes) or enabled(true). enabled(no) or enabled(false).
name	DNAT rule name. Example: name("DNAT rule example").
desc	A description of the rule. Example: desc("DNAT rule example created via CLI").
dnat	Rule type (specified in the rule properties).
snat_target_ip	IP address to replace the source address when NATting packets. Specify the address in "", e.g. snat_target_ip ("1.1.1.1").
rule_log	Log traffic information if the rule is triggered. The available options are: rule_log(no) or rule_log(false): disable logging. If rule_log is not specified, logging is disabled. rule_log(session): log the start of the section.
src.zone	Traffic source zone. To specify a source traffic zone, such as Trusted: src.zone = Trusted. For more details about configuring zones using the CLI, see Zones.
src.ip	Add lists of source IP addresses, MAC addresses, and domains. Example for IP addresses: src.ip = lib.network(). Specify the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see Configuring IP addresses. Example for domains: src.ip = lib.url(). Specify the URL to which necessary domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see Configuring URL lists. To specify source MAC addresses, such as 02:00:00:00:00:00: use src.ip = 02:00:00:00:00:00.
src.geoip	Source GeoIP. Specify a country code (for example, src.geoip = AE). Click here for the list of ISO 3166-1 country codes. Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15.
dst.zone	Traffic destination zone. To specify a destination zone, such as Untrusted: dst.zone = Untrusted. For more details about configuring zones using the CLI, see Zones.
dst.ip	Add lists of destination IP addresses, MAC addresses, and domains. To specify an IP address list: dst.ip = lib.network(). Specify the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see Configuring IP addresses. To specify a domain list: dst.ip = lib.url(). Specify the URL to which the necessary domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see Configuring URL lists. To specify destination MAC addresses, such as 02:00:00:00:00:00: use dst.ip = 02:00:00:00:00:00.
service	Service type. You can specify a service or a services group (for more details, see Configuring services and Configuring service groups). To specify a single service: service = "service name". To specify multiple services: service = (service-name1, service-name2, ...). To specify a services group: service = lib.service(). Provide the services group name in parentheses.
target_ip	DNAT destination address. Example destination address: target_ip("1.1.1.1").
target_snat	Replace the source IP address with the UserGate address: target_snat(yes) or target_snat(true). target_snat(no) or target_snat(false).

12.9.2.3. Configuring port forwarding rules¶

To configure a port forwarding rule, specify the following parameters:

Parameter	Description
PASS OK	Action to create a rule using UPL.
enabled	Enable/disable a rule: enabled(yes) or enabled(true). enabled(no) or enabled(false).
name	Port forwarding rule name. Example: name("Port forwarding rule example").
desc	A description of the rule. Example: desc("Port forwarding rule example created via CLI").
port_mapping	Rule type (specified in the rule properties).
snat_target_ip	IP address to replace the source address when NATting packets. Specify the address in "", e.g. snat_target_ip ("1.1.1.1").
rule_log	Log traffic information if the rule is triggered. The available options are: rule_log(no) or rule_log(false): disable logging. If rule_log is not specified, logging is disabled. rule_log(session): log the start of the section.
src.zone	Traffic source zone. Example source zone: src.zone = Trusted. For more details about configuring zones using the CLI, see Zones.
src.ip	Add lists of source IP addresses, MAC addresses, and domains. Example for IP addresses: src.ip = lib.network(). Specify the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see Configuring IP addresses. Example for domains: src.ip = lib.url(). Specify the URL to which necessary domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see Configuring URL lists. To specify source MAC addresses, such as 02:00:00:00:00:00: use src.ip = 02:00:00:00:00:00.
src.geoip	Source GeoIP. Specify a country code (for example, src.geoip = AE). Click here for the list of ISO 3166-1 country codes. Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15.
dst.ip	Add lists of destination IP addresses, MAC addresses, and domains. To specify an IP address list: dst.ip = lib.network(). Specify the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see Configuring IP addresses. To specify a domain list: dst.ip = lib.url(). Specify the URL to which the necessary domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see Configuring URL lists. To specify destination MAC addresses, such as 02:00:00:00:00:00: use dst.ip = 02:00:00:00:00:00.
port_map	Port overrides for published services. To override, specify the network protocol (TCP, UDP, SMTP, SMTPS), and the original and the new destination ports. Example: port_map(tcp, 2000, 2100). Important! The ports listed here may not be used as they are reserved for UserGate's internal services: 2200, 8001, 4369, 9000-9100.
target_ip	DNAT destination address. Example destination address: target_ip("1.1.1.1").
target_snat	Replace the source IP address with the UserGate address: target_snat(yes) or target_snat(true). target_snat(no) or target_snat(false).

12.9.2.4. Configuring Policy-based routing rules¶

To configure a Policy-based routing rule, specify the following parameters:

Parameter	Description
PASS OK	Action to create a rule using UPL.
enabled	Enable/disable a rule: enabled(yes) or enabled(true). enabled(no) or enabled(false).
name	Policy-based routing rule name. Example: name("Policy-based routing rule example").
desc	A description of the rule. Example: desc("Policy-based routing rule example set via CLI").
route	Rule type (specified in the rule properties).
gateway	Select one of the existing gateways: gateway("1.1.1.1"). For more details about adding a gateway using CLI, see Gateways.
scenario	Scenario that needs to be active for the rule to trigger. To specify a scenario: scenario = "Example of a scenario". For more details on configuring scenarios, see Configuring scenarios.
rule_log	Log traffic information if the rule is triggered. The available options are: rule_log(no) or rule_log(false): disable logging. If rule_log is not specified, logging is disabled. rule_log(session): log the start of the section.
src.zone	Traffic source zone. Example source zone: src.zone = Trusted. For more details about configuring zones using the CLI, see Zones.
src.ip	Add lists of source IP addresses, MAC addresses, and domains. Example for IP addresses: src.ip = lib.network(). Specify the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see Configuring IP addresses. Example for domains: src.ip = lib.url(). Specify the URL to which necessary domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see Configuring URL lists. To specify source MAC addresses, such as 02:00:00:00:00:00: use src.ip = 02:00:00:00:00:00.
src.geoip	Source GeoIP. Specify a country code (for example, src.geoip = AE). Click here for the list of ISO 3166-1 country codes. Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15.
dst.ip	Add lists of destination IP addresses, MAC addresses, and domains. To specify an IP address list: dst.ip = lib.network(). Specify the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see Configuring IP addresses. To specify a domain list: dst.ip = lib.url(). Specify the URL to which the necessary domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see Configuring URL lists. To specify destination MAC addresses, such as 02:00:00:00:00:00: use dst.ip = 02:00:00:00:00:00.
dst.geoip	Destination GeoIP. Specify a country code (for example, dst.geoip = AE). Click here for the list of ISO 3166-1 country codes. Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15.
service	Service type. You can specify a service or a services group (for more details, see Configuring services and Configuring service groups). To specify a single service: service = "service name". To specify multiple services: service = (service-name1, service-name2, ...). To specify a services group: service = lib.service(). Provide the services group name in parentheses.

12.9.2.5. Configuring Network mapping rules¶

To configure a Network mapping rule, specify the following parameters:

Parameter	Description
PASS OK	Action to create a rule using UPL.
enabled	Enable/disable a rule: enabled(yes) or enabled(true). enabled(no) or enabled(false).
name	Network mapping rule name. Example: name("Network mapping rule example").
desc	A description of the rule. Example: desc("Network mapping rule example set via CLI").
netmap	Rule type (specified in the rule properties).
rule_log	Log traffic information if the rule is triggered. The available options are: rule_log(no) or rule_log(false): disable logging. If rule_log is not specified, logging is disabled. rule_log(session): log the start of the section.
src.zone	Traffic source zone. Example source zone: src.zone = Trusted. For more details about configuring zones using the CLI, see Zones.
src.ip	Add lists of source IP addresses, MAC addresses, and domains. Example for IP addresses: src.ip = lib.network(). Specify the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see Configuring IP addresses. Example for domains: src.ip = lib.url(). Specify the URL to which necessary domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see Configuring URL lists. To specify source MAC addresses, such as 02:00:00:00:00:00: use src.ip = 02:00:00:00:00:00.
src.geoip	Source GeoIP. Specify a country code (for example, src.geoip = AE). Click here for the list of ISO 3166-1 country codes. Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15.
dst.ip	Add lists of destination IP addresses, MAC addresses, and domains. To specify an IP address list: dst.ip = lib.network(). Specify the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see Configuring IP addresses. To specify a domain list: dst.ip = lib.url(). Specify the URL to which the necessary domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see Configuring URL lists. To specify destination MAC addresses, such as 02:00:00:00:00:00: use dst.ip = 02:00:00:00:00:00.
dst.geoip	Destination GeoIP. Specify a country code (for example, dst.geoip = AE). Click here for the list of ISO 3166-1 country codes. Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15.
service	Service type. You can specify a service or a services group (for more details, see Configuring services and Configuring service groups). To specify a single service: service = "service name". To specify multiple services: service = (service-name1, service-name2, ...). To specify a services group: service = lib.service(). Provide the services group name in parentheses.
target_ip	Parameter for network substitution: address of a network to use in the substitution. Example: target_ip("1.1.1.0").
direction	Parameter for network substitution. Direction: direction(input): input, replace destination IP network address. Destination IP addresses in the traffic that matches the rule conditions will be substituted. The network address is replaced with the network specified in the value target_ip. direction(output): output, replace source IP network address. Source IP addresses in the traffic that matches the rule conditions will be substituted. The network address is replaced with the network specified in the value target_ip.

You are here

Search form