We'd love to hear about it! Click here to go to the product suggestion community
Based on the discussion and queries we have observed on various threads, here is the things to know about new decoupled NAT and firewall changes in v18.
Update - This in-depth video has been produced to help explain the new NAT changes in SFOS v18: https://player.vimeo.com/video/376241042
1) What is changed related to NAT in XG firewall v18? What is Decoupled NAT? Why we changed?
with v18, XG firewall has moved towards more standardized NAT design in which network translation configuration is now decoupled from firewalling configuration for better manageability in the larger sized deployments.
Starting XG firewall v18, NAT is now a separate rule table that will be traversed from top to bottom prioritized rule set for network translation decisions. The configuration offers better flexibility, manageability with less number of NAT & firewall rules. With v18, XG Firewall’s enterprise NAT capability is now at par with other competitive players.
The new design offers ease of configuration and management for all NAT capabilities:
Based on what we have been hearing from our customers, v18 now removes confusing business application firewall rule type existing in v17.x and earlier. destination NAT capability of the biz apps rule has been folded into the same NAT rule. Single firewall rule type can now achieve WAF (as a part of action) and other security configurations.
For customers who don't want to manage a separate NAT rule table, XG firewall v18 offers a differentiating LinkedNAT functionality - refer LinkedNAT specific FAQs for details.
2) I am running v17.x; will there be any impact/ behavior change on my existing deployment (specific to NAT) if I upgrade to v18?
No. We have implemented the migration in such a way that it will automatically migrate v17.x NAT configuration (integrated into firewall rule) to v18 NAT configurations. You need not to take any manual steps.
When you migrate from v17.x to v18, you would see many LinkedNAT rules already created – many of them could be with similar source NAT translation, for example – many rules with MASQ as source translation. We cannot consolidate/ optimize the same automatically during migration as there could be deployments with firewall rules on v17.x without any NAT configured. You can decide to manually optimize the NAT table by creating single source translation NAT rule that takes care of translating source for multiple firewall rules, for example - single MASQ rule at the bottom of the NAT table. And you can delete multiple LinkedNAT rule created during migration.
3) After upgrading to v18, I see many LinkedNAT rule created on the NAT rule table. Is this normal? Can you not optimize this further in the migration?
We have implemented the migration in such a way that it will automatically migrate v17.x NAT configuration (integrated into firewall rule) to v18 NAT configurations. You need not to take any manual steps.
4) After upgrading to v18, I see a non-editable checkbox on migrated firewall rules that says "Do not apply this migrated rule to system-destined traffic". Why it is there?
This is to retain the rule matching behavior of v17.x even though we have removed Business application rule type.
In SFOS 17.x and earlier, although business application rules and user-network rules were listed in a single rule table, XG Firewall evaluated these rule types independently to find matching criteria. For system-destined traffic (example: accessing XG Firewall services) and incoming traffic (example: to internal servers) that matches a destination NAT business application rule, it ignored user-network rules and matched the traffic with business application rules.
From v18, XG Firewall has removed the distinction between business application and user-network rules. It now offers both as firewall rules. To ensure that the consolidation does not affect the rule-matching behavior of earlier versions, it will continue to ignore migrated user-network rules positioned above migrated business application rules for system-destined traffic and incoming traffic.
This is a read-only checkbox in the firewall rule that tells system to retain rule matching behavior of v17.x even after migrating onto v18.
5) I am creating a firewall rule for DNAT (destination translation) rule. Why should I configure Dst Zone match in firewall rule as (mostly) local zone (LAN/ DMZ). And, why should I configure Dst network match in firewall rule as original Dst IP (WAN IP on XG)?
When you create firewall rule for NAT rule in which destination is translated, you would match Dst zone as the ultimate zone in which the traffic would terminate (that is local zone – DMZ or LAN). However, you would (want to) match against the original destination IP (WAN IP on XG), here’s why:
6) What is LinkedNAT?
With v18, XG firewall has moved towards more standardized NAT design in which network translation configuration is now decoupled from firewalling configuration for better manageability in the larger sized deployments.
However, For customers who don't want to manage a separate NAT rule table, XG firewall v18 offers a differentiating LinkedNAT feature to grandfather existing customers over to the new design in the long run. The linkedNAT feature is fundamentally designed to provide inline source NAT rule creation from firewall rule. Matching criteria for the LinkedNAT rule is linked with the respective firewall rule, admin only needs to configure or edit the Src translation decision in the LinkedNAT rule.
This means LinkedNAT rule will only be applied to the traffic matching that specific firewall rule. However, if standard NAT rules are placed before the linkedNAT rule that match the traffic, the matching NAT rule would apply. That means, LinkedNAT does NOT guarantee that it will be matched for respective firewall rule traffic (if admin creates standard NAT rule before LinkedNAT). NAT rule table will always be matched from top to bottom priority order. There is no special or reserved priority in execution for LinkedNAT rule.
LinkedNAT rule is only possible for SNAT (source translation) configuration, not for Destination translation (DNAT).
7) Is it mandatory to use LinkedNAT? Where should I use LinkedNAT?
It is not mandatory to use LinkedNAT. With v18, XG firewall has moved towards more standardized NAT design in which network translation configuration is now decoupled from firewalling configuration for better manageability.
If you have a small scale deployment (small set of firewall rules) and you don't want to manage a separate NAT rule table, you can create LinkedNAT directly from the firewall rule and ONLY configure Src translation decision while matching criteria are automatically linked with the respective firewall rule.
If you have to differentiate SNAT configuration based on Users or Schedules criteria, LinkedNAT rule becomes mandatory there. However, such configuration need is very rare, we have NOT observed such configuration in practical deployments. Also, LinkedNAT rule is only possible for SNAT (source translation) configuration, not for Destination translation (DNAT).
8) What is the new disabled “Drop ALL” rule at the bottom of the firewall rule table?
The default drop rule provides visual indication to user / admin that if none of the firewall rule gets match, traffic will be dropped.
You reported about two specific challenges that admin faces in v17.x.
Currently, the logs that you see with firewall rule id ‘0’ are NOT for the traffic dropped by Drop ALL rule. In later EAP releases, we would replace them with “N/A” as those are for the traffic dropped before the firewall rule matches – for example – invalid traffic. And actual logs for traffic dropped by Drop ALL default behavior will be available in the release post v18. Meanwhile – as a workaround, one can add a drop rule at the bottom to log the dropped traffic not matched by any other firewall rule.
9) Do I have any demo/ training on how to configure various NAT in the new design?
To help you evaluate XG firewall v18 better in this early access program, here is the interactive training/ work through course - video along with the PDF handout and speaker notes. Here is the interactive course to work through XG Firewall v18.0:
Your Sophos XG Firewall Product Team
In reply to Big_Buck:
More likely to consider the new Interface (Zone) Matching Criteria. You can match NAT Rules quite easily without having to match anything.
SNAT (MASQ). One Rule - Done.
Inbound NAT - One Rule - Done.
One Server has a specific SNAT (Full NAT) need? One Rule over your Default Nat - Done.
In reply to Jindrich:
I was critical of this change and how it was presented in the UI at first. I know the presentation is going to be fixed and will make sense once it is. The training actually does a good job of explaining this (after I watched it and read the supplement; the video alone doesn't do enough in my opinion).
We have been in the Astaro/UTM/XG ecosystem for a long time now and I forgot how everyone else does this. Once I took a step back and looked at this through the lens of the other firewall vendors, it makes total sense. Some of those other vendors have a fair amount of default NAT rules as well. They didn't have the conundrum like Sophos has with trying to migrate the rules from an old system to this new style. I can appreciate the stance Sophos has taken to be cautious and just do a one for one when upgrading.
In the end, this is by far the best change they are implementing, in my opinion.
We have published how-to video guide exclusive for NAT enhancements in v18. This covers SNAT, DNAT and PAT with deployment examples; explains migration from v17.x, caveats, additional details and troubleshooting guidance.
Here is the how-to video guide link: NAT Configurations in XG firewall v18
So my first experience upgrading from 17 to 18, ughh... horrible, supposed to work flawlessly with no impact. I upgraded and now my internet connection does NOT work at all, traffic doesn't seem to get from the LAN to WAN interface as before in 17, for no apparent reason. So I even tried creating an any/any accept firewall rule, and global NAT rule and still nothing.
Something is horrendously broken in the upgrade process fr me, and unfortunately I can't sit with downtime all week long trying to troubleshoot it.
In reply to Daniel Creed:
How many rules and networks do you have in there ?
For my curiosity ...
if you upgraded to the latest version v18 MR-1, I suggest you roll back to v17 there appears to be a bug in v18 MR-1 which is causing traffic to be blocked.
Just and internal and WAN interface... this is a small install in my home. Maybe 6 rules.
Thanks for your feedback.
I will send you PM for more details purpose.
I have upgraded four firewalls as of now without a glitch. Except for the fact that a wireless device backup will not be uploadable on a non wireless device.