Example 3: NAT rules with a failover between the three outgoing links of the LILLE site

This example illustrates a setup with failover between the three Internet access WAN links of the LILLE site through a router object.

Creating the router object that will be the default route

  1. Go to Configuration > Objects > Network.
  2. Click on Add.
  3. In the column on the left side of the object creation window, select Rrouter.

General properties

  1. Name the object (e.g., ROUTER-LILLE-WAN-FAILOVER).

Monitoring

  1. For the Detection method, select ICMP.
  2. Adjust the Timeout (s) as needed.
  3. Adjust the Interval (s) as needed.
  4. Adjust the number of Failures before degradation (3 by default).

SD-WAN SLA (thresholds)

  1. Select SD-WAN SLA (thresholds).
  2. Adjust the Latency (ms) as needed.
  3. Adjust the Jitter (ms) as needed.
  4. Adjust the Packet loss rate (%) as needed.
  5. Do not enter an Unavailability rate (%).

Gateways

  1. In the Gateways used tab, click on Add.
  2. In the Gateway column, select the object LIL-WAN-1.
  3. In the Device(s) for testing availability column, select Test the gateway directly.
  4. In the Backup gateways tab, click on Add.
  5. In the Gateway column, select the object LIL-WAN-2.
  6. Repeat steps 17 and 18 to add the object LIL-WAN-3.
  7. In the Device(s) for testing availability column, select Test the gateway directly.

Advanced properties

  1. In Advanced properties, select No load balancing for the Load balancing field.
  2. For Enable backup gateways, select When all gateways cannot be reached.
  3. Click on Apply then Save.

Setting this router object as the FW-LILLE firewall's gateway

  1. Go to Configuration > Network > Routing.
  2. In the Default gateway field, select the router object that was created earlier (ROUTER-LILLE-WAN-FAILOVER in this example).
  3. Click on Apply then Save.

Creating the filter rule that allows internal networks to access the Internet

  1. Go to Configuration > Security policy > Filter - NAT, Filtering tab.
  2. Click on New rule > Single rule.
  3. Double-click in any column in this rule.
  4. General menu on the left: switch the Status of the rule to On.
  5. Action menu, General tab: set the Action to pass.
  6. Source menu on the left: double-click on the object Any and replace it with the object Network_internals.
  7. Destination menu on the left: double-click on the object Any and replace it with the object Internet.
  8. Port/Protocol menu on the left: add to the grid the Destination ports of the various objects corresponding to the ports to be allowed in this filter rule.
  9. Inspection menu on the left: we recommend leaving the default Inspection level, IPS.
  10. Click on OK.
  11. Click on Apply.

Creating address translation (NAT) rules for traffic towards the Internet

  1. Go to Configuration > Security policy > Filter - NAT, NAT tab.

First LILLE WAN access link

  1. Click on New rule > Single rule.
  2. Double-click in any column in this rule.
  3. General menu on the left: switch the Status of the rule to On.
  4. Original source menu on the left, Source hosts grid: double-click on the object Any and replace it with the object Network_internals.
  5. Original destination menu on the left:
    1. In the General tab, Destination hosts grid: double-click on the object Any and replace it with the object Internet.
    2. In the Advanced properties tab, Outgoing interface field: select the object corresponding to the first LILLE WAN interface (WAN-1 in the example).
  6. Translated source menu on the left:
    1. Translated source host field: select the object corresponding to the first public IP address of the firewall (Firewall_WAN-1 in this example).
    2. Translated source port field: select the object ephemeral_fw.
    3. Select Choose random translated source port.
  7. Click on OK.

Repeat steps 2 to 9 to create the NAT rules corresponding to the two other WAN access links of the LILLE site with the following objects:

Second LILLE WAN access link

Field Value
Original source - Destination hosts Network_internals
Original destination - Destination hosts Internet
Original destination - Outgoing interface WAN-2
Translated source - Translated source host Firewall_WAN-2

Third LILLE WAN access

Field Value
Original source - Destination hosts Network_internals
Original destination - Destination hosts Internet
Original destination - Outgoing interface WAN-3
Translated source - Translated source host Firewall_WAN-3

These NAT rules will then look like this: