Actions on NAT policy rules

Search This field makes it possible to perform searches by occurrence, letter or word.

If you enter “Any” in the field, all NAT rules containing “Any” will be displayed in the table.

New rule Inserts a blank line after the selected line, 4 choices are available:
  • Single rule: This option allows creating an inactive NAT rule which will need to be configured.
  • Source address sharing rule (masquerading): This option allows creating a PAT (Port Address Translation) dynamic NAT rule. This type of rule allows converting multiple IP addresses into one or N IP addresses. The value selected by default is ephemeral_fw (corresponding to a port range from 20000 to 59999 inclusive). The source port will also be rewritten.
    The wizard selects as the destination interface, the interface corresponding to the network of this source after translation.
  • Separator – rule grouping: This option allows inserting a separator above the selected line.
    This separator makes it possible to group rules that apply to traffic going to different servers and helps to improve the NAT policy’s readability and visibility by indicating a comment.
    Separators indicate the number of grouped rules and the numbers of the first and last rules in the form: “Rule name (contains the total number of rules, from first to last)”.
    You can collapse or expand the node of the separator in order to show or hide the rule grouping. You can also copy/paste a separator from one location to another.
  • Static NAT rule (bimap): The principle of static address translation is to convert an IP address (or N public IP addresses) to another (or N private IP addresses) when going through Firewall, whatever the origin of the connection.
    A wizard window will allow you to map a private IP address to a public (virtual) IP address by defining their parameters. You must also choose from the drop-down lists the Private and virtual hosts for your IPs, as well as the interface on which you wish to apply them.
    The Advanced properties field makes it possible to restrict the application to a port or port group, and enable ARP publication, which may provision the IP via the firewall’s MAC address.
    You are however advised to restrict access to a port or a port group through a filter rule corresponding to this traffic. This allows adding other criteria to it in order to make this filter more accurate.

Click on Finish to confirm your configuration.

DO note that for an N-to-N bi-map rule, original and translated address ranges, networks or host groups must be of the same size.

Bi-directional translation is generally used to allow access to a server from the outside with a public IP address that is not the same as the host’s real address

The “bi-map” action supports address ranges. Source and translated addresses are used in the following order: the “smallest” address in the source field is translated to the “smallest” address in the translated field.

When a virtual IP address is selected, the corresponding interface will be selected automatically. This interface will be used as the source of the redirection rule and as the destination for rules that rewrite the source.
Delete Deletes the selected line.
Move up Places the selected line before the line just above it.
Move down Places the selected line after the line just below it.
Expand all Expands all rules in the tree.
Collapse all Collapses all folders in the directory.
Cut Cuts a NAT filter rule in order to duplicate it.
Copy Copies a NAT rule in order to duplicate it.
Paste Duplicates a NAT rule after having copied it.
Search in logs Whenever a NAT rule is selected, click on this button to automatically search for the name of the rule in the "All logs" view (Logs > Audit logs > Views module). If the selected rule has not been named, a warning message will indicate that the search cannot be performed.
Search in monitoring Whenever a NAT rule is selected, click on this button to automatically search for the name of the rule in the connection monitoring module.
Reset rules statistics Clicking on this button will reinitialize the digital and graphical counters showing how NAT rules are used, located in the first column of the table.
Reset columns

When you click on the arrow on the right in the field containing a column’s name (example: Status), you will be able to display additional columns or remove columns so that they will not be visible on the screen, by checking or unchecking them.

Tick the options “Name” and “Src port” which are not displayed by default.
By clicking on reset columns, your columns will be reset to their original settings, before you selected any additional columns. As such, “Name” and “Src port” will be hidden again.

If you click quickly 10 times on the “Up” button, you will see that the rule moves up but the waiting window will only appear when you leave the button for 2 or 3 seconds. And at the end, only a single command will be executed. Rules can be moved more much fluidly as such.