NAT table
This table allows you to define the NAT rules to apply. The firewall will assess rules in their order of appearance on the screen: one by one from the top down. Place them in the right order so that you obtain a coherent result. Once it comes upon a rule that corresponds to the request, the will perform the specified action and stop there.
It is therefore important to define rules from the most restrictive to the most general.
The NAT table consists of two parts - Original traffic (before translation) and Translated traffic.

Every rule can be dragged and dropped so that the policy (filter or NAT) can be reorganized easily. The symbol as well as the "Drag and drop to reorganize" tool tip appear when you scroll over the beginning of the rule.

This column shows the status of the rule: On /Off
. Double-click on it to change its status. By doing this once, you will enable the NAT rule. Repeat the operation to disable it.
NOTE
Source address translation manages stateless IP protocols (GRE) but with the following restriction:
if two clients go through the same firewall, they will not be able to connect to the same server at the same time. Stormshield Network’s intrusion prevention engine will block packets received by the second client.
After 5 minutes, the intrusion prevention engine will deem the session too old and will allow the second client to take over.
General tab in the rule editing window
General section
Status | Select On or Off to respectively enable or disable the rule being edited. |
Comments | You can enter comments in this area; they will be displayed at the end of the rule when the address translation policy is displayed. |
Advanced properties section
Rule name | You can assign a name to the NAT rule; this name will be used in logs and facilitates identification of the NAT rule during searches in logs or views (Logs - Audit logs menu). |

General tab
General section
User | The rule will apply to the user or the user group that you select in this field. There are three choices by default:
|
Source hosts | The rule will apply to the object that you select in this field. The source host is the host from which the treated packet originated: it is the sender of the packet. You can Add or Delete objects by clicking on ![]() ![]() |
Incoming interface | Interface on which the translation rule applies, presented in the form of a drop-down list. By default, the firewall selects it automatically according to the operation and source and destination IP addresses. It can be modified to apply the rule to another interface. It can be modified to apply the rule to another interface. This also allows specifying a particular interface if “Any” has been selected as the source host. |
Click on Ok to confirm your configuration.
Advanced properties tab
Advanced properties section
Source port | This field allows specifying the port used by the source host. By default, the "Stateful" module memorizes the source port used and only this port will then be allowed for return packets. |
Source DSCP | This field refers to the DSCP code of the received packet. |
Authentication section
Authentication method | This field allows restricting the application of the filter rule to the selected authentication method. |
Click on Ok to confirm your configuration.

General tab
General section
Destination hosts | Select the destination host of the traffic from the object database in the drop-down list. |
Destination Port | If you wish to translate the traffic’s destination port, select one from the objects in the drop-down list. The object “Any” is selected by default. |
You can Add or Delete objects by clicking on and Create objects by clicking on
. Click on Ok to confirm your configuration.
NOTE
Load balancing types other than a connection hash can be selected with a destination port range.
Advanced properties tab
Advanced properties section
Outgoing interface | This option allows selecting the outgoing interface for the translated traffic. By default, the firewall selects it automatically according to the operation and source and destination IP addresses. It can be modified to restrict the rule to a particular interface. |
ARP publication | This option makes the IP address to be published available via the firewall’s MAC address. |
NOTE
The ARP publication option is now assigned to the original destination (traffic before translation), whose IP address is indeed published, and not to the translated destination.

General tab
General section
Translated source host | The rule will apply to the object that you select in this field. The translated source host refers to the new IP address of the source host, after its translation by NAT. |
Translated source port | This field allows specifying the source port used by the source host after translation. By default, the "Stateful" module memorizes the source port used and only this port will then be allowed for return packets. The creation of a source address sharing rule (masquerading) assigns the value ephemeral_fw to this field. |
Select a random translated source port | By selecting this option, the firewall will randomly select the translated source port from the list (e.g.: ephemeral_fw). This makes it possible to avoid an anticipation of the following connections as the source ports are assigned consecutively , thereby strengthening security. |
Click on Ok to confirm your configuration.
Advanced properties tab
Load balancing section
Load balancing type | This option allows distributing IP addresses of sources that sent the packet after translation. The load balancing method depends on the algorithm used. Several load balancing algorithms are available:
|
ARP publication | This option makes the IP address to be published available via the firewall’s MAC address. |
Click on Ok to confirm your configuration.

General tab
General section
Translated destination host | This field allows selecting the destination host of the translated packet from the drop-down list of objects. |
Translated destination port | This field allows specifying the port used by the destination host. |
Click on Ok to confirm your configuration.
Advanced properties tab
Load balancing types other than a connection hash can be selected with a destination port range.
Load balancing section
Load balancing type | This option allows distributing the transmission of packets among several destination IP addresses. The load balancing method depends on the algorithm used. Several load balancing algorithms are available:
|
Between ports | This option allows distributing the transmission of packets among several destination ports. The load balancing method depends on the algorithm used. The load balancing algorithms are the same as the ones described earlier. |
Click on Ok to confirm your configuration.

Protocol section
Depending on the protocol type that you choose here, the following field that appears will vary:
Protocol type | Select the desired protocol type. The value of the following fields varies according to your choice.
|
Application protocol | The advantage of this choice is being able to apply application analysis on a port other that the default port. When this protocol type is selected:
|
IP protocol | When this protocol type is selected:
|
Ethernet protocol | When this protocol type is selected, select the desired Ethernet protocol from the drop-down list. |

Log level | Logging traffic allows facilitating diagnosis and troubleshooting. The results will be stored in the filter log files. |
NAT inside IPsec tunnel (before encryption, after decryption) | If the option has been selected, the encryption policy will be applied to the translated traffic. The NAT operation is performed just before encryption by the IPsec module when packets are sent and after decryption when packets are received. |

You can add a description that will allow distinguishing your NAT rule and its characteristics more easily.
Comments on new rules indicate the date on which they were created and the user who created them, if the rules were not created by the "admin" account, in the form of "Created on {date} by {login} ({IP address)}". This automatic information may be disabled by unselecting the option "Comments about rules with creation date (Filtering and NAT)" found in the Preferences module.