Unable to edit NAT-Firewall rule

LuCar Toni 

Do you read what I am complaining?

Please read carefully! Suggested answer is very bad.

I am just trying to point to a direction, which could lead to a much simpler rule set. 

If you want to work with Linked NAT Rule, then i would confirm this issue. 

But if you want to migrate to a one rule set setup, this would the way to go.

This would also solve your other issue.

That would be the Rule, which i am suggest. 

Here the documentation talks clearly:

Linked NAT rules

These are source NAT rules and are listed in the NAT rule table. You can identify them by the firewall rule ID and name.

XG Firewall applies firewall rules before it applies source NAT rules. If a NAT rule above the linked rule meets the matching criteria, XG Firewall applies that rule and doesn’t look further for the linked rule. However, linked NAT rules apply only to traffic that matches the firewall rule they are linked to.

You can unlink a linked NAT rule from the NAT rule table. Once you unlink the rule from the original firewall rule, you can edit the NAT rule. It will now be evaluated independent of the original firewall rule based on its criteria and not the original firewall rule criteria.

Guys, make sure when you develop or change a feature, to involve System Admin. I worked in environment with 4000+ users and imagine that you have to manage 400+ rules. Click-saving is the way to save admins time and life!

[H]

No Luk - you only need to know the matching criteria. NAT linking was done for migration purposes, to make sure no connectivity was lost. It could be entirely possible if all 200 rules (in your example) were simple MASQ this could be reduced to just one unlinked rule.

However, if you feel that the implementation is wrong then please look at the post on how to provide feedback, or click the Feedback link in the Control Centre 

Even for a 4000 User Deployment, i would rather have a MASQ Ruleset, which simply pick up all traffic going to WAN and MASQ than to have 400 Linked NAT Rules.

On one of my appliances, there were 60 Linked NAT rules. I simply selected them all, deleted them and recreate one SNAT rule.

After that change, i was ready to go with the SNAT Traffic. 

LuCar Toni 

I am not complaining to remove the NAT rule tab or to change the NAT linked behaviour but I am complaining that a single way to edit or unlink or change the NAT only from NAT tab is UNACCEPTABLE.

NAT rule editing, linking shall be available even from FIREWALL RULE.

I hope it is clear now.

I completely agree that after migration, you can unlink all NAT migrated and link a single NAT to all firewall rule.

Hello all,

I agree with Luk. 

To LuCar Toni, you mentioned installation in which you have been working for several weeks. How many firewall rules and the following NAT rules this installation has?
Sorry, but we work in installations in which are hundreds of rules (up to 600 firewall rules) and more than 50 NAT rules. How will you filter so many rules according to some criteria to limit the number of displayed rules? And how much time do you spend defining filtering conditions? Sorry again, this implemntation is not really a user-friendly solution ...

Please take a look at the problem from our side, not just how to implement it with the least effort.

Regards

alda

lferrara said:

I am not complaining to remove the NAT rule tab or to change the NAT linked behaviour but I am complaining that a single way to edit or unlink or change the NAT only from NAT tab is UNACCEPTABLE.

NAT rule editing, linking shall be available even from FIREWALL RULE.

I totally agree with this.

What about a "Automatic firewall rule" checkbox like in UTM, when you create the NAT rule?

My Firewall had 140 Rules with 60 Linked NAT rules.

I simply clicked the Linked NAT Rules filter, selected all Rules (Maybe a long effort in this process, to click 60 Times, i fully agree with that) and deleted them all. 

Than i replace this with one rule like in the picture above. Linked NAT Rules are only for "MASQ" in case of migration. 

Than i checked my DNAT Rules, replaced them in several cases but not all. 

So to speak, i shrinked my ruleset down to couple of rules. 

In Case you have a firewall with 600 rules, after migration, you properly get 1-600 linked nat rules - depending on your use of MASQ in V17.5 in the rules. 

To replace those rules, you would have to follow the concept of, which traffic needs to be MASQ? 

There are several use cases, where you need to MASQ (internal / external), but most likely some of those rules are not needed at all. 

LuCar Toni 
YOU ARE NOT LISTENING AND READING CAREFULLY!

If you understand our point (alda,  and others coming, good...) otherwise I do not understand why this feeedback and issues section is used for!

Waiting for FloSupport...