Configuring NAT rules

To configure a NAT rule, specify the following parameters:

Parameter

Description

PASS

OK

Action to create a rule using UPL.

enabled

Enable/disable a rule:

  • enabled(yes) or enabled(true).

  • enabled(no) or enabled(false).

name

NAT rule name.

Example: name("NAT rule example").

desc

A description of the rule.

Example: desc("NAT rule example set via CLI").

nat

Rule type (specified in the rule properties).

snat_target_ip

IP address to replace the source address when NATting packets. Specify the address in "", e.g. snat_target_ip ("1.1.1.1").

rule_log

Log traffic information if the rule is triggered. The available options are:

  • rule_log(no) or rule_log(false): disable logging. If rule_log is not specified, logging is disabled.

  • rule_log(session): log the session start.

src.zone

Traffic source zone.

To specify a source zone, such as Trusted: src.zone = Trusted.

For more details about how to configure zones using CLI, see the Zones section.

src.ip

Add lists of source IP addresses, MAC addresses, and domains.

To specify a list of IP addresses: src.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section.

To specify a source domain list: src.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section.

To specify source MAC addresses, such as 02:00:00:00:00:00, use src.ip= 02:00:00:00:00:00.

dst.zone

Traffic destination zone.

To specify a traffic destination zone, such as Untrusted: dst.zone = Untrusted.

For more details about how to configure zones using CLI, see the Zones section.

dst.ip

Add lists of destination IP addresses, MAC addresses, and domains.

To specify a list of IP addresses: dst.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section.

To specify a destination domain list: dst.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section.

To specify destination MAC addresses, such as 02:00:00:00:00:00, use dst.ip= 02:00:00:00:00:00.

service

Service type. You can specify a service or a services group (for more details, see Configuring services and Configuring services groups).

To specify a single service: service = "service name". To specify multiple services: service = (service-name1, service-name2, ...).

To specify a service group: service = lib.service(). Provide the services group name in parentheses.

Example command to create a NAT rule using UPL:

Admin@nodename# create network-policy nat-routing 1 upl-rule PASS \ ...src.zone = Trusted \ ...dst.zone = Untrusted \ ...nat \ ...rule_log(session) \ ...name("Test NAT rule") \ ...enabled(true) ... Admin@nodename# show network-policy nat-routing 1 % ----------------- 1 ----------------- OK \ src.zone = Trusted \ dst.zone = Untrusted \ direction(input) \ rule_log(session) \ enabled(true) \ id("0344640b-b392-4920-9853-77d85ec1338c") \ name("Test NAT rule")\ nat