Settings for Firewall FW6

Return routes

Return routes do not need to be defined on this firewall: since the various proxies enabled on firewalls FW2 to FW5 (SSL, HTTP, SMTP/POP3/IMAP) perform address translation by default (Keep original source IP address option unselected in the settings of each of these protocols), firewall FW6 therefore knows the source of source packets for each traffic stream.

Filter rule

Create a filter rule that allows HTTP, HTTPS, SMTP, IMAP and POP3 traffic going to the Internet. Since security inspections are conducted on firewalls that have enabled various proxies, the security rule on firewall FW6 may be in Firewall mode.

Action column

  • Action: set the action to Pass,

Source column

  • Source hosts: select the network at the source of the traffic (Network_bridge in the example).

Destination column

  • Destination hosts: select the Internet object.

Dest. port column

  • Destination port: select the http, https and srv_mail objects.

Security inspection column

  • Inspection level: select the Firewall mode.
 

The filter rule will then look like this:

NAT rule

Create a NAT rule meant to mask internal networks behind the public address of firewall FW6.

In the NAT tab in the Configuration > Security policy > Filter and NAT menu, expand the New rule menu and select Standard rule:

Status column

  • Enable the rule by switching its status to On.

Original traffic column

Source column

  • Source hosts: select the network at the source of the traffic (Network_bridge in the example).

Destination column

  • Destination hosts (general tab): select the Internet object.
  • Out interface (Advanced properties tab): select the outgoing interface to the Internet (out interface in the example).

Dest. port column

  • Destination port: select the Any object.

Traffic after translation column

Source column

  • Translated source host: select the network object corresponding to the public address of firewall FW6 (Firewall_out in the example),
  • Translated source port: choose the ephemeral object and select the option select a random translated source port.

Destination column

  • Translated destination host: leave the Any object suggested by default.
 

The NAT rule will then look like this: