Sophos Central Firewall Manager (CFM) maintenance scheduled for Wednesday, July 8th starting at 06:30 GMT. Expected time to complete is 5 hours. Partners will be unable to access CFM during this period.

dnat position

Hi guys.


I could take a doubt.


I like to organize the firewall rules and always think about the order of the rules.
What would be the best position for DNAT rules? On top of all the rules? At the end of all the rules? Or does none of this make a difference?

I will have to free up access to more than 50 NVR from the vpn to another subnet, in another zone. It will be used a lot and will have an average of 15 ~ 20Mbps of troughput, limited in Traffic Shape. Can the rule's position interfere with performance?

As it is a rule that will be used a lot, the ideal would be to keep on top of all the rules, but I was unable to find a drawing with flow of packages in the XG box.

I would like to remove this doubt in both versions 17.5 and 18.

Is there a design with the packet flow in XG?
Sorry for the question, I come from iptables and knowing that order of rules helps a lot in tunnig.

  • HI  

    Please refer to the article - https://community.sophos.com/kb/en-us/126230

    Hope this helps!

  • It is actually quite easy. 

    Firewall is to allow a packet. NAT is to translate a packet. There are completely separate. 

    In V17.5, the firewall rule is stick together to the NAT. Image two tables, NAT and Firewall. XG will run both tables and check for the first matching Rule in NAT and in Firewall. 

    In v17.5 (D)NAT will hit with the one rule. 

    In V18, as they are split up, the tables will run differently but the technique behind those tables are still the same. 

     

    For example: 

    Firewall Rule 1-3 

    NAT Rule A-C 

    If you have a Rule 1 and Rule A matching or a Rule called 1A, does not matter. 

    V18 will split those tables up into 1-3 and A-C 

    V17.5 has the tables together: Rule 1, 2B, 3C 

    This comes with advantages and disadvantages. 

  • In reply to LuCar Toni:

    Thank you guys for your time.

    I made a very stupid explanation. So it was not understood.

    Forgive me. Forgive my English.

    Allow me to improve the question.

    I know how to organize the rules and I understand how NAT works in XG.

    My question is in performance. I don't know how XG handles packet flow.

    XG rules are read from top to bottom. If there are a lot of rules, a rule that is much requested at the end of the list, would it cause increased use of the box?