Unable to edit NAT-Firewall rule

I am not sure if it is a bug or not, but how can I unlink or edit a NAT to a specific firewall rule?

For example, I see that for each rule, during the migration, a single NAT for each firewall rule have been created. So,

  • I want to edit the NAT-Firewall rule association from firewall rule and from NAT but the option is not available.

Is this by design or a bug?

Thanks

Parents
  • It is by design. To be able to change the NAT rule for a firewall rule, you need to:

    • Unlink the NAT rule from the NAT tab
    • Link a new NAT rule from the NAT tab to an existing firewall rule

    Feedbacks:

    Please:

    • Allow to edit and link the NAT rule from the Firewall rule
    • From the Firewall rule, use the white space by providing information about the NAT rule you are linking to the rule. For example, NAT_NAME where a "i" information icon is availble and we can see the NAT rule proprierties without moving back and forth from NAT Tab.

    Thanks

  • You do not need to link a NAT rule to a FW rule. NAT rules operate on the matching criteria. NAT Rule linking was a needed step for migration. You do not need to unlink rules if you want to keep the same kind of setup you had previously. We would suggest however that over time you unlink rules and create NAT rules based on matching criteria. It may look complicated at first but it is actually more powerful and elegant.

     

    If you have 100 FW rules now, and they are all MASQ rules that will mean 100 Linked NAT rules are created on migration. However it is very likely you could reduce this to a single SNAT rule which applies to all 100 FW rules by the matching criteria.

  •  

    I  do not agree on this. Admins should be able to change the NAT from the Firewall rule also and not only from NAT tab. Also, from the Firewall rule, there should be a way to view information about the linked NAT rule. A name is not enough!

    Thanks

Reply Children
  • I am working with V18 since couple of weeks and i do not use any Linked NAT Rules anymore. 

    Would recommend to work with NAT Rules, which uses the Interface Criteria (for example WAN outbound).

    You can actually use a default NAT Rule on the bottom with Matching Interface WAN and SNAT enabled (MASQ). So you would reduce the need of a Linked NAT Rule from X Rules to 1. 

    __________________________________________________________________________________________________________________

  •  

    Do you read what I am complaining?

    Please read carefully! Suggested answer is very bad.

  • I am just trying to point to a direction, which could lead to a much simpler rule set. 

    If you want to work with Linked NAT Rule, then i would confirm this issue. 

    But if you want to migrate to a one rule set setup, this would the way to go.

    This would also solve your other issue.

     

     

    That would be the Rule, which i am suggest. 

    __________________________________________________________________________________________________________________

  • Here the documentation talks clearly:

    Linked NAT rules

    These are source NAT rules and are listed in the NAT rule table. You can identify them by the firewall rule ID and name.

    XG Firewall applies firewall rules before it applies source NAT rules. If a NAT rule above the linked rule meets the matching criteria, XG Firewall applies that rule and doesn’t look further for the linked rule. However, linked NAT rules apply only to traffic that matches the firewall rule they are linked to.

    You can unlink a linked NAT rule from the NAT rule table. Once you unlink the rule from the original firewall rule, you can edit the NAT rule. It will now be evaluated independent of the original firewall rule based on its criteria and not the original firewall rule criteria.

    Guys, make sure when you develop or change a feature, to involve System Admin. I worked in environment with 4000+ users and imagine that you have to manage 400+ rules. Click-saving is the way to save admins time and life!

    [H]

  • Even for a 4000 User Deployment, i would rather have a MASQ Ruleset, which simply pick up all traffic going to WAN and MASQ than to have 400 Linked NAT Rules.

    On one of my appliances, there were 60 Linked NAT rules. I simply selected them all, deleted them and recreate one SNAT rule.

    After that change, i was ready to go with the SNAT Traffic. 

    __________________________________________________________________________________________________________________

  •  

    I am not complaining to remove the NAT rule tab or to change the NAT linked behaviour but I am complaining that a single way to edit or unlink or change the NAT only from NAT tab is UNACCEPTABLE.

    NAT rule editing, linking shall be available even from FIREWALL RULE.

    I hope it is clear now.

    I completely agree that after migration, you can unlink all NAT migrated and link a single NAT to all firewall rule.

  • Hello all,

    I agree with Luk. 

    To LuCar Toni, you mentioned installation in which you have been working for several weeks. How many firewall rules and the following NAT rules this installation has?
    Sorry, but we work in installations in which are hundreds of rules (up to 600 firewall rules) and more than 50 NAT rules. How will you filter so many rules according to some criteria to limit the number of displayed rules? And how much time do you spend defining filtering conditions? Sorry again, this implemntation is not really a user-friendly solution ...

    Please take a look at the problem from our side, not just how to implement it with the least effort.

    Regards

    alda

  • lferrara said:

    I am not complaining to remove the NAT rule tab or to change the NAT linked behaviour but I am complaining that a single way to edit or unlink or change the NAT only from NAT tab is UNACCEPTABLE.

    NAT rule editing, linking shall be available even from FIREWALL RULE.

    I totally agree with this.

    What about a "Automatic firewall rule" checkbox like in UTM, when you create the NAT rule?

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Technician

  • My Firewall had 140 Rules with 60 Linked NAT rules.

    I simply clicked the Linked NAT Rules filter, selected all Rules (Maybe a long effort in this process, to click 60 Times, i fully agree with that) and deleted them all. 

    Than i replace this with one rule like in the picture above. Linked NAT Rules are only for "MASQ" in case of migration. 

     

     

    Than i checked my DNAT Rules, replaced them in several cases but not all. 

    So to speak, i shrinked my ruleset down to couple of rules. 

     

    In Case you have a firewall with 600 rules, after migration, you properly get 1-600 linked nat rules - depending on your use of MASQ in V17.5 in the rules. 

    To replace those rules, you would have to follow the concept of, which traffic needs to be MASQ? 

    There are several use cases, where you need to MASQ (internal / external), but most likely some of those rules are not needed at all. 

     

    __________________________________________________________________________________________________________________

  •  
    YOU ARE NOT LISTENING AND READING CAREFULLY!

    If you understand our point (,  and others coming, good...) otherwise I do not understand why this feeedback and issues section is used for!

    Waiting for ...