Hi all,
We recently upgraded to version 18 and since then there have been a few issues with outbound traffic. I will give a little overview of the setup so that it will hopefully help to determine what the issue is:
We have our XG firewall as an active-active pair. The gateway of our end user devices is not set to the XG firewall, but instead a different firewall that essentially blocks most internet traffic. Users are directed to the XG firewall for internet via a proxy pac file that is set via group policy. The pac file basically states that any traffic destined for our internal network should go direct, anything else should go vie our XG firewall as a proxy.
We have multiple firewall rules setup that are primarily there for the use of apply Web Policies which are different depending on department and location. For example staff can get to social media, but students access to social media is more limited.
After the upgrade to V18, outbound internet seemed to stop working. I went onto the firewall rule that applied to the user I was testing with and everything looked correct. In V18, I then created a linked NAT rule and set the Translated source (SNAT) to MASQ and then outbound traffic worked again and everything seemed fine. It looks like the below:
Now like I said, we have 4 or 5 firewall rules that will match known users based on location and department, IP range etc so that it can apply the correct web policy for web filtering. So instead of creating a linked NAT rule for each of these firewall rules, can I just create one manual NAT rule that looks like this:
Basically the original source is any of our internal ranges. Translated source (SNAT): MASQ. My understanding is that this is going to NAT all outbound traffic from any of those internal source networks, masked by our outside IP address and everything will just work.
Am I correct with this? This is also a question about what the best practice is on these things. Hope everything makes sense, just wanted to check I am on the right track here.
This thread was automatically locked due to age.
