Question on Destination NAT and Firewall Rule

Hi,

We are testing V18 in my LAB and I am confused with Firewall rule and Destination NAT policy. My configuration as like:

In the Firewall Rule, Why I need Destination HOST as "ANY". If I will choose a host IP in destination Host as my SSH server then this rule is not working. Is it a bug or some specific reason for the required "ANY" in the Destination HOST field?

Parents Reply
  • As mentioned in other threads, i worked quite a time with this new rule set, and my observations are:

    Working with Firewall Rules and NAT without a Linking is the best approach "for me!". 

    So basically i create my NATs based on the Needs of the setup: SNAT and DNAT (sometimes FullNAT). 

    Then creating the Firewall Rule sets based on what i want to achieve. 

    SNAT and DNAT needs firewall rules to allow the traffic, until a "automatic Firewall Rule" comes in place - Which i will not use, because of other concerns (i did not use this option ether in UTM). 

    I am using the Firewall Group feature to sort the firewalls from the beginning. Starting with a Group "DNAT" with all firewall rules, matching for my DNAT rules. Then a WAF Group, my User / zone groups. 

     

    At the moment, i agree with you, if i change a DNAT rule, i have to change the firewall rule, to match this, this is a second layer to think about in case of changing something. 

    __________________________________________________________________________________________________________________

Children
  • LuCar Toni said:

    At the moment, i agree with you, if i change a DNAT rule, i have to change the firewall rule, to match this, this is a second layer to think about in case of changing something. 

    You caught the point!

  • The question is, how other points deal with such an process? 

    I am always pointing out, that this is kinda complicated to deal with, if you are starting to "split" a firewall rule set, like V17.5 to V18. 

    Personally speaking, the Automatic firewall rule option should resolve this issue right away, but i would not use it at all. I am not a fan of any product, which creates something at his own and put this rule anywhere in his firewall rule set. Anyways, i am simply pointing out the current status, which i am fine with it, but i understand that a missing automatic firewall rule option could be an issue for several customers. 

     

    __________________________________________________________________________________________________________________

  • Uhm...Lucar in my opion, if your are a new user, what do you do without reading the guide?

    I mean, already not reading  the documentation is a big problem. I always read the documentation before doing thigs (engineering approach) but think about user:

    User go to Firewall, new and then.....???

    You could do this:

    Restore the old way to create wizard appeard in v17 "create a network rule or business rule to publish not HTTP/S servers on internet or something like that, and WAF to protect only HTTP/S web server from malicious attack"

    If the user choose the first option, user remains in the current tab (firewall), if the user choose second option, the system moves the user to NAT rule. Automatic rule could help but it is still confusing.

    check and reply here as it is an ad-hoc thread.

    https://community.sophos.com/products/xg-firewall/sfos-eap/sfos-v18-early-access-program/f/feedback-and-issues/115802/business-rule-against-new-firewall-rule---feedback

    Thanks

  • I think the NAT tab has to be re-envisioned again. I agree with toni that multiple NAT rules are probably the best approach for the way NAT tab is setup. However, I also like the new capability to setup one NAT rule and use it as free floating rule that is applied to multiple firewall rule.

    I think the best approach here would be the capability to attach multiple firewall rules to the one/same NAT rule. That way you can have one NAT rule that is used over and over but is still attached to the firewall rules. The NAT rule order wouldn't create additional complexity this way. The way we have everything setup right now, you basically want your firewall connected rules on top and then have a generic masquerade rule on bottom if you want your traffic natted without creating a NAT rule for each firewall rule.

    This is very confusing to say the least. Why XG fixes one problem and creates multiple others in every version will always be a mystery to me. 

  • Too complex for a simple nat rules ... 

    Before, done in 2-3 clicks ! Now, we can do more complex things, but for a standart nat rules, it's so complex !

    SOPHOS, beware to keep your products simple to use !

     

    Matthieu

  • I agree with Matthieu.

    Sophos: if you are trying to copy from UTM, I would remember you that in DNAT on UTM9,

    • source was Any
    • service was the external service
    • destination was the WAN ip addressess or interface
    • Translated to: server hosting the service
    • translated service to: service running in the server

    With automatic firewall rule:

    • Source: Any
    • Service
    • destination: server hosting the service (and not the WAN ip address in v18).

     

    In this way, from a single page (firewall tab) you can have under controls all the service open from/to other/between networks.

    Anyway I created a proper thread on that:

    https://community.sophos.com/products/xg-firewall/sfos-eap/sfos-v18-early-access-program/f/feedback-and-issues/115802/business-rule-against-new-firewall-rule---feedback with some personal feedback to improve the NAT/Firewall rule/WAF management under v18.

    I like the new NAT (remembers me UTM) but some big changes must be implemented before go-live time.