Unable to edit NAT-Firewall rule

I am not sure if it is a bug or not, but how can I unlink or edit a NAT to a specific firewall rule?

For example, I see that for each rule, during the migration, a single NAT for each firewall rule have been created. So,

  • I want to edit the NAT-Firewall rule association from firewall rule and from NAT but the option is not available.

Is this by design or a bug?

Thanks

Parents
  • It is by design. To be able to change the NAT rule for a firewall rule, you need to:

    • Unlink the NAT rule from the NAT tab
    • Link a new NAT rule from the NAT tab to an existing firewall rule

    Feedbacks:

    Please:

    • Allow to edit and link the NAT rule from the Firewall rule
    • From the Firewall rule, use the white space by providing information about the NAT rule you are linking to the rule. For example, NAT_NAME where a "i" information icon is availble and we can see the NAT rule proprierties without moving back and forth from NAT Tab.

    Thanks

  • You do not need to link a NAT rule to a FW rule. NAT rules operate on the matching criteria. NAT Rule linking was a needed step for migration. You do not need to unlink rules if you want to keep the same kind of setup you had previously. We would suggest however that over time you unlink rules and create NAT rules based on matching criteria. It may look complicated at first but it is actually more powerful and elegant.

     

    If you have 100 FW rules now, and they are all MASQ rules that will mean 100 Linked NAT rules are created on migration. However it is very likely you could reduce this to a single SNAT rule which applies to all 100 FW rules by the matching criteria.

  •  

    I am not complaining to remove the NAT rule tab or to change the NAT linked behaviour but I am complaining that a single way to edit or unlink or change the NAT only from NAT tab is UNACCEPTABLE.

    NAT rule editing, linking shall be available even from FIREWALL RULE.

    I hope it is clear now.

    I completely agree that after migration, you can unlink all NAT migrated and link a single NAT to all firewall rule.

  • Hello all,

    I agree with Luk. 

    To LuCar Toni, you mentioned installation in which you have been working for several weeks. How many firewall rules and the following NAT rules this installation has?
    Sorry, but we work in installations in which are hundreds of rules (up to 600 firewall rules) and more than 50 NAT rules. How will you filter so many rules according to some criteria to limit the number of displayed rules? And how much time do you spend defining filtering conditions? Sorry again, this implemntation is not really a user-friendly solution ...

    Please take a look at the problem from our side, not just how to implement it with the least effort.

    Regards

    alda

  • lferrara said:

    I am not complaining to remove the NAT rule tab or to change the NAT linked behaviour but I am complaining that a single way to edit or unlink or change the NAT only from NAT tab is UNACCEPTABLE.

    NAT rule editing, linking shall be available even from FIREWALL RULE.

    I totally agree with this.

    What about a "Automatic firewall rule" checkbox like in UTM, when you create the NAT rule?

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Technician

  • My Firewall had 140 Rules with 60 Linked NAT rules.

    I simply clicked the Linked NAT Rules filter, selected all Rules (Maybe a long effort in this process, to click 60 Times, i fully agree with that) and deleted them all. 

    Than i replace this with one rule like in the picture above. Linked NAT Rules are only for "MASQ" in case of migration. 

     

     

    Than i checked my DNAT Rules, replaced them in several cases but not all. 

    So to speak, i shrinked my ruleset down to couple of rules. 

     

    In Case you have a firewall with 600 rules, after migration, you properly get 1-600 linked nat rules - depending on your use of MASQ in V17.5 in the rules. 

    To replace those rules, you would have to follow the concept of, which traffic needs to be MASQ? 

    There are several use cases, where you need to MASQ (internal / external), but most likely some of those rules are not needed at all. 

     

    __________________________________________________________________________________________________________________

  •  
    YOU ARE NOT LISTENING AND READING CAREFULLY!

    If you understand our point (,  and others coming, good...) otherwise I do not understand why this feeedback and issues section is used for!

    Waiting for ...

  • I am just trying to help you how to better interact with the new dashboard. 

    But i will stop to post here anymore. Thanks for you feedback. The other guys will get up your feedback. 

    __________________________________________________________________________________________________________________

  • Hello LuCar Toni,

    I don't mean "cleaning" after migrating from v17.5 to v18 but everyday work with firewall rules and NAT rules. Just as Luk described it:

     NAT rule editing, linking shall be available even from FIREWALL RULE.

     That's all, no one wants anything more than this option. I hope that now is double clear. Yes, it may not be easy to implement it this way, but you are asking us for our opinion and we  respond you. Again, that's all.

    Regards

    alda

  • Luk, I can understand your frustration but please tone down your responses a little, LuCar Toni is only trying to help - thats the point of this forum. Your feedback and comments are very important.

     

    Can I suggest that you, alda, twister5800 and others that have commented on this feature with some very interesting requests please make this formal feedback by clicking the feedback link in Control Center - we are listening.

  • Sure!

    Regarding Lucar I do not have nothing against him...the point is we are complaining about the NAT editing or viewing. I really like the new NAT tab and the way to unlink or edit them but you missed the option to view/link/unlink/edit/ from Firewall rule straight-away. We are Admins and we work on the product in real environment and we know what we need.

    I will provide feebdack from XG UI.

    Thanks

  • Unknown said:

     

    Can I suggest that you, alda, twister5800 and others that have commented on this feature with some very interesting requests please make this formal feedback by clicking the feedback link in Control Center - we are listening.

     

     
    Already did :-) - Thanks

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Technician

Reply Children