Migration to V18 NAT

Hi guys, 

 

there was a little conversation about the migration of NAT in V18.

Just a little information / explanation, how i interact with the V18 Migration.

 

If you migrate to V18, the MASQ Rules in the firewall policies are gone. Those rules are getting migrated to Linked NAT rules, which are basically doing the same. 

But you will get some of those rules. 

 

for example:

 

You can actually replace those rules with a new SNAT Rule.

This new rule has to match on your internal interface and your external interface.

 

For example:

 

 

This will actually match, if you put it on top of your rule set.

 

 

My Suggestion would be: Place a top rule like that on your rule set and reset the counter of all other rules below. 

 

 

So you can actually verify, that your new SNAT Rule is matching against everything.

All Linked NAT Rules should have a usage of 0. 

 

If that is the case for a longer period, start to delete those Linked NAT rules. 

 

The new Rule set should be clean. 

Parents Reply
  • Hi Emile,

    Thanks for this.  I agree that the flow would appear that way based on the diagram, but the explanation I have received and in the handout indicates step 3 is simply a lookup so it knows what to do for the zone translation.  The actual DNAT is done post firewall rule processing.  At least that is how I interpret it.  I think a little clearer explanation from Sophos in the training would help alleviate a lot of the confusion.

    Here is a snippet from page 45 of the Sophos EAP1 handout:

    This diagram shows how packets flow through the firewall and NATing is applied.

    When a packet arrives and the marking has been done the XG Firewall performs a NAT lookup for DNAT or Full NAT rules. If a NAT rule has been matched the destination zone is translated before the packet goes to the firewall. This means that the firewall will be matching rules based on the post-NAT destination zone and the pre-NAT IP address.

    After the firewall either:

    • The DNAT or Full NAT rule matched in step 3 is used to do the translation

    • A second NAT lookup is done for SNAT rules or linked rules and this translation is applied

    Finally the packet is delivered.

    Thanks,

    John

Children
  • Hello Axsom,

    I think, unfortunately, this confusion is down to the odd nature of the double touching of the firewall that has been chosen.

    The NAT is definitely considered first, that is why the Firewall rules have to have the post NAT zone. The NAT then completes the forward after the firewall has "allowed it".

    I don't agree with any of this design as it leads to too much confusion.

    Emile