NAT and Routing

In the NAT and routing section, the administrator can create NAT, DNAT, port forwarding, policy-based routing, and network mapping rules. UserGate NGFW supports NAT/DNAT for complex protocols that can use dynamic ports. FTP, PPTP, SIP, and H323 protocols are supported.

Trigger events for NAT, DNAT, port forwarding, policy-based routing, and network mapping rules are displayed in the traffic log (Logs and reports ➜ Traffic) when Logging is enabled in the rule settings.

Note GeoIP cannot be used as the traffic source address of in NAT rules and as the destination address of traffic in NAT, DNAT, and port forwarding rules.

NAT Rules

Generally, enabling Internet access for the users requires creating at least one NAT rule from the Trusted to the Untrusted zone.

Note The rules are applied top to bottom in their listing order. Only the first rule in which all conditions are matched is applied. This means that more specific rules must be placed higher in the list than more general ones. To change the order in which the rules will be applied, use the Up/Down and Top/Bottom buttons or drag and drop the rules with the mouse.
Note The Negate checkbox changes the condition to the opposite, which corresponds to a Boolean NOT (negation).

To create a NAT rule, go to the Network policies ➜ NAT and routing section, click Add, and provide the desired settings.

Name

Description

Enabled

Enables or disables the rule.

Name

The name of the rule.

Description

A description of the rule.

Type

Select NAT.

SNAT IP address (external IP)

Explicitly sets the IP address with which the source address will be replaced in case of packet NATing. This makes sense if there are multiple IP addresses assigned to the destination zone's interfaces. If left empty, the system will use an arbitrary address from the list of available IP addresses assigned to the destination zone's interfaces. A range of IP addresses may be specified, for example:

192.168.10.10-192.168.10.20

In this case, NGFW will use all addresses from the range for Source NAT.

It is recommended to specify a SNAT IP explicitly to improve firewall performance.

Logging

Logs traffic information when the rule is triggered. The available options are:

  • Log session start: only the session start (first packet) will be recorded in the traffic log. This is the recommended logging option.

  • No. Nothing will be logged.

Source

The zone, IP address lists, or URL lists of the traffic source.

The URL list must include only domain names. Every 5 minutes NGFW resolves domain names into IP addresses and stores the result in the internal cache for the DNS record's time-to-live (TTL). When the TTL expires, NGFW automatically updates the IP address value.

Important! The Negate checkbox does not affect rule processing, when MAC addresses are used.

Important! The traffic processing logic is as follows:

  • The conditions are combined using Boolean OR, if several IP address and/or domain lists are specified.

Destination

The zone, IP address lists, or destination URL lists of the traffic.

The URL list must include only domain names. Every 5 minutes NGFW resolves domain names into IP addresses and stores the result in the internal cache for the DNS record's time-to-live (TTL). When the TTL expires, NGFW automatically updates the IP address value.

Important! The traffic processing logic is as follows:

  • The conditions are combined using Boolean OR, if several IP address and/or domain lists are specified.

Service

The service type, such as HTTP, HTTPS or other.

Usage

The trigger statistics for the rule: the total trigger count and the time of the first and last trigger.

To reset the trigger count, select the rules in the list and click Reset hit counts.

History

The time the rule was created and last changed as well as the related event log entries, such as rule added, rule updated, rule list position changed etc.

Note It is recommended to create general NAT rules, such as NAT from the local network (normally the Trusted zone) to the Internet (normally the Untrusted zone), and access restrictions by user, service, and application using firewall rules.

DNAT Rules

DNAT rules are normally used to publish internal network resources to the Internet. For publishing HTTP/HTTPS servers, reverse proxy rules are the recommended publishing method. For more details on publishing resources using reverse proxy rules, see the HTTP/HTTPS Resource Publishing Using Reverse Proxy chapter. To publish servers that use protocols other than HTTP/HTTPS, use DNAT publishing.

Note The rules are applied top to bottom in their listing order. Only the first rule in which all conditions are matched is applied. This means that more specific rules must be placed higher in the list than more general ones. To change the order in which the rules will be applied, use the Up/Down and Top/Bottom buttons or drag and drop the rules with the mouse.

Note The Negate checkbox changes the condition to the opposite, which corresponds to a Boolean NOT (negation).

To create a DNAT rule, go to the Network policies ➜ NAT and routing section, click Add, and provide the desired settings.

Name

Description

Enabled

Enables or disables the rule.

Name

The name of the rule.

Description

A description of the rule.

Type

Select DNAT.

SNAT IP address (external IP)

Explicitly specifies the IP address that will replace the source address in case of packet NATing. If the SNAT IP is not specified, the source address will be replaced with the address of the NGFW interface from which the packet was sent.

A range of IP addresses may be specified, for example:

192.168.10.10-192.168.10.20

Important! To have the source address replaced with the specified address, the Enable SNAT checkbox must be set on the DNAT tab.

Logging

Logs traffic information when the rule is triggered. The available options are:

  • Log session start: only the session start (first packet) will be recorded in the traffic log. This is the recommended logging option.

  • No. Nothing will be logged.

Source

The zone, IP address lists, Geo-IP address lists, or URL lists of the traffic source.

The URL list must include only domain names. Every 5 minutes NGFW resolves domain names into IP addresses and stores the result in the internal cache for the DNS record's time-to-live (TTL). When the TTL expires, NGFW automatically updates the IP address value.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

Important! The Negate checkbox does not affect rule processing, when MAC addresses are used.

Important! The traffic processing logic is as follows:

  • The conditions are combined using Boolean OR, if several IP address and/or domain lists are specified.

  • The conditions are combined using Boolean AND, if GeoIPs and IP address and/or domain lists are specified.

Destination

One of the external IP addresses of NGFW, which is available from the Internet and is the destination for the external client traffic.

Important! The traffic processing logic is as follows:

  • The conditions are combined using Boolean OR, if several IP address and/or domain lists are specified.

Service

The type of service to publish, such as HTTP. If not specified, all services will be published.

Important! Services that use the following ports may not be published as these ports are reserved for UserGate's internal services: 2200, 8001, 4369, 9000-9100.

DNAT target IP (published server IP)

The IP address of a computer in the local network that is being published to the Internet.

Enable SNAT (change source IP to UserGate IP)

If enabled, NGFW will replace the source address in the packets from the external network with its own IP address.

Usage

The trigger statistics for the rule: the total trigger count and the time of the first and last trigger.

To reset the trigger count, select the rules in the list and click Reset hit counts.

History

The time the rule was created and last changed as well as the related event log entries, such as rule added, rule updated, rule list position changed etc.

Port Forwarding Rules

Port forwarding rules work similarly to DNAT rules, except that they allow you to change the port number on which an internal service is published. To create a port forwarding rule, go to the Network policies ➜ NAT and routing section, click Add, and provide the desired settings.

Note The rules are applied top to bottom in their listing order. Only the first rule in which all conditions are matched is applied. This means that more specific rules must be placed higher in the list than more general ones. To change the order in which the rules will be applied, use the Up/Down and Top/Bottom buttons or drag and drop the rules with the mouse.

Note The Negate checkbox changes the condition to the opposite, which corresponds to a Boolean NOT (negation).

Name

Description

Enabled

Enables or disables the rule.

Name

The name of the rule.

Description

A description of the rule.

Type

Select Port forwarding.

Logging

Logs traffic information when the rule is triggered. The available options are:

  • Log session start: only the session start (first packet) will be recorded in the traffic log. This is the recommended logging option.

  • No. Nothing will be logged.

Source

The zone, IP address lists, Geo-IP address lists, or URL lists of the traffic source.

The URL list must include only domain names. Every 5 minutes NGFW resolves domain names into IP addresses and stores the result in the internal cache for the DNS record's time-to-live (TTL). When the TTL expires, NGFW automatically updates the IP address value.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

Important! The Negate checkbox does not affect rule processing, when MAC addresses are used.

Important! The traffic processing logic is as follows:

  • The conditions are combined using Boolean OR, if several IP address and/or domain lists are specified.

  • The conditions are combined using Boolean AND, if GeoIPs and IP address and/or domain lists are specified.

Destination

The zone, IP address lists, or destination URL lists of the traffic.

The URL list must include only domain names. Every 5 minutes NGFW resolves domain names into IP addresses and stores the result in the internal cache for the DNS record's time-to-live (TTL). When the TTL expires, NGFW automatically updates the IP address value.

Important! The traffic processing logic is as follows:

  • The conditions are combined using Boolean OR, if several IP address and/or domain lists are specified.

Port forwarding

Port overriding for the published services:

  • Original destination port: the TCP/UDP port number to which the users send requests.

    Important! The ports listed here may not be used as they are reserved for NGFW's internal services: 2200, 8001, 4369, 9000-9100.

  • New destination port: the TCP/UDP port number of the internal server being published to which user requests will be forwarded.

DNAT target IP (published server IP)

The IP address of a computer in the local network that is being published to the Internet.

Enable SNAT (change source IP to UserGate IP)

If enabled, NGFW will replace the source address in the packets from the external network with its own IP address.

Usage

The trigger statistics for the rule: the total trigger count and the time of the first and last trigger.

To reset the trigger count, select the rules in the list and click Reset hit counts.

History

The time the rule was created and last changed as well as the related event log entries, such as rule added, rule updated, rule list position changed etc.

Policy-Based Routing

Policy-based routing rules are normally used to define a specific route to the Internet for certain hosts and/or services. For example, an organization that uses two Internet providers may need to route all HTTP traffic via provider 1 and all the rest via provider 2. To do that, it would set the Internet gateway of provider 2 as the default gateway and configure a policy-based routing rule for HTTPS traffic via the gateway of provider 1.

Note PBR rules do not replace NAT rules or affect how they work. For network address translation, place a corresponding NAT rule after a PBR rule.

Note The rules are applied top to bottom in their listing order. Only the first rule in which all conditions are matched is applied. This means that more specific rules must be placed higher in the list than more general ones. To change the order in which the rules will be applied, use the Up/Down and Top/Bottom buttons or drag and drop the rules with the mouse.

Note The Negate checkbox changes the condition to the opposite, which corresponds to a Boolean NOT (negation).

To create a policy-based routing rule, go to the Network policies ➜ NAT and routing section, click Add, and provide the desired settings.

Name

Description

Enabled

Enables or disables the rule.

Name

The name of the rule.

Description

A description of the rule.

Type

Select Policy-Based Routing.

Gateway

Select one of the existing gateways. You can add a gateway in the Network ➜ Gateways section.

Important! The selected gateway may belong to a specific virtual router.

Logging

Logs traffic information when the rule is triggered. The available options are:

  • Log session start: only the session start (first packet) will be recorded in the traffic log. This is the recommended logging option.

  • No. Nothing will be logged.

Source

The zone, IP address lists, Geo-IP address lists, or URL lists of the traffic source.

The URL list must include only domain names. Every 5 minutes NGFW resolves domain names into IP addresses and stores the result in the internal cache for the DNS record's time-to-live (TTL). When the TTL expires, NGFW automatically updates the IP address value.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

Important! The Negate checkbox does not affect rule processing, when MAC addresses are used.

Important! The traffic processing logic is as follows:

  • The conditions are combined using Boolean OR, if several IP address and/or domain lists are specified.

  • The conditions are combined using Boolean AND, if GeoIPs and IP address and/or domain lists are specified.

Users

The list of users or groups to which this rule is applied. The Any, Unknown, and Known user types can be used. To apply rules to specific users or Known users, user identification needs to be configured. For more details on user identification, see the Users and Devices chapter.

Destination

The zone, IP address lists, Geo-IP address lists, or URL lists of the traffic destination.

The URL list must include only domain names. Every 5 minutes NGFW resolves domain names into IP addresses and stores the result in the internal cache for the DNS record's time-to-live (TTL). When the TTL expires, NGFW automatically updates the IP address value.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

Important! The traffic processing logic is as follows:

  • The conditions are combined using Boolean OR, if several IP address and/or domain lists are specified.

  • The conditions are combined using Boolean AND, if GeoIPs and IP address and/or domain lists are specified.

Service

The service type, such as HTTP, HTTPS or other.

Usage

The trigger statistics for the rule: the total trigger count and the time of the first and last trigger.

To reset the trigger count, select the rules in the list and click Reset hit counts.

History

The time the rule was created and last changed as well as the related event log entries, such as rule added, rule updated, rule list position changed etc.

Network Mapping

Network mapping rules allow substitution of the source or destination network address. This is usually required when there are multiple networks with identical addressing, such as 192.168.1.0/24, that need to be merged into a single routed network. Without network address substitution, this kind of merge would be impossible. Network mapping changes only the network address, leaving the host address as is: for example, if source network 192.168.1.0/24 is substituted with 192.168.2.0/24, host 192.168.1.1 will change to 192.168.2.1.

Note The rules are applied top to bottom in their listing order. Only the first rule in which all conditions are matched is applied. This means that more specific rules must be placed higher in the list than more general ones. To change the order in which the rules will be applied, use the Up/Down and Top/Bottom buttons or drag and drop the rules with the mouse.

To create a Network mapping rule, go to the Network policies ➜ NAT and routing section, click Add, and provide the desired settings.

Name

Description

Enabled

Enables or disables the rule.

Name

The name of the rule.

Description

A description of the rule.

Type

Select Network mapping.

Logging

Logs traffic information when the rule is triggered. The available options are:

  • Log session start: only the session start (first packet) will be recorded in the traffic log. This is the recommended logging option.

  • No. Nothing will be logged.

Source

The zone, IP address lists, Geo-IP address lists, or URL lists of the traffic source.

The URL list must include only domain names. Every 5 minutes NGFW resolves domain names into IP addresses and stores the result in the internal cache for the DNS record's time-to-live (TTL). When the TTL expires, NGFW automatically updates the IP address value.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

Important! The Negate checkbox does not affect rule processing, when MAC addresses are used.

Important! The traffic processing logic is as follows:

  • The conditions are combined using Boolean OR, if several IP address and/or domain lists are specified.

  • The conditions are combined using Boolean AND, if GeoIPs and IP address and/or domain lists are specified.

Destination

The zone, IP address lists, Geo-IP address lists, or URL lists of the traffic destination.

The URL list must include only domain names. Every 5 minutes NGFW resolves domain names into IP addresses and stores the result in the internal cache for the DNS record's time-to-live (TTL). When the TTL expires, NGFW automatically updates the IP address value.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

Important! The traffic processing logic is as follows:

  • The conditions are combined using Boolean OR, if several IP address and/or domain lists are specified.

  • The conditions are combined using Boolean AND, if GeoIPs and IP address and/or domain lists are specified.

Service

The service type, such as HTTP, HTTPS or other.

Network Mapping

Configure the network substitution settings.

Direction:

  • Input, replace destination network address: destination IP addresses in the traffic that matches the rule conditions will be substituted. The network address is substituted with the one specified in the New IP network/mask field.

  • Output, replace source network address: source IP addresses in the traffic that matches the rule conditions will be substituted. The network address is substituted with the one specified in the New IP network/mask field

  • New IP network/mask: the network address that gets substituted for the original one.

Usage

The trigger statistics for the rule: the total trigger count and the time of the first and last trigger.

To reset the trigger count, select the rules in the list and click Reset hit counts.

History

The time the rule was created and last changed as well as the related event log entries, such as rule added, rule updated, rule list position changed etc.