Question on Destination NAT and Firewall Rule

Hi Deepak,

I noticed the same thing and posted the results of my testing here

Basically, if you put in the FW rule, the "public IP" as destination host, it will match, even if the rule is wan-lan or wan-dmz.

Why though? No idea.

Hi,

I think this is a traffic or Rule flow issue, and Sophos must fix it. I am assuming that it will failover for security testing. Today I will perform some typical type of testing with a security tool and will update you.

Hi,

Try a Firewall rule as 

"Link NAT" is only for Source NAT. It is not for the Destination NAT.

Ok, done it. And now?

DNAT is not linked

Hi,

As I said the DNAT NAT rule is not for Linking to any firewall rule. You can Link only SNAT rule to a firewall rule.

This is just confusing me!

http://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/FirewallNATRules.html#pkw_b31_v3b__uxd_myl_n3b

You can Link NAT rule only Source rule means from LAN to WAN NAT rules can link to a Firewall rule. You can not Link a NAT rule from WAN to LAN.

deepakkhw said:

You can Link a NAT rule from WAN to LAN.

Still unclear.

In the NAT, I changed original destination from WAN alias to Port2 (maybe using alias is not possible). Same thing. Traffic is denied.

Also NAT counter connection is 0 and Firewall rule counter is 0

Hi,

It was a typo, You can not link a nat rule which is confirmed from WAN to LAN.

Understood! Anyway the rule does not work.

Hi,

Destination Address/Host is select wrong in the firewall rule. Here, Select as Any or your WAN IP address.

As mentioned in other threads, i worked quite a time with this new rule set, and my observations are:

Working with Firewall Rules and NAT without a Linking is the best approach "for me!". 

So basically i create my NATs based on the Needs of the setup: SNAT and DNAT (sometimes FullNAT). 

Then creating the Firewall Rule sets based on what i want to achieve. 

SNAT and DNAT needs firewall rules to allow the traffic, until a "automatic Firewall Rule" comes in place - Which i will not use, because of other concerns (i did not use this option ether in UTM). 

I am using the Firewall Group feature to sort the firewalls from the beginning. Starting with a Group "DNAT" with all firewall rules, matching for my DNAT rules. Then a WAF Group, my User / zone groups. 

At the moment, i agree with you, if i change a DNAT rule, i have to change the firewall rule, to match this, this is a second layer to think about in case of changing something. 

As mentioned in other threads, i worked quite a time with this new rule set, and my observations are:

Working with Firewall Rules and NAT without a Linking is the best approach "for me!". 

So basically i create my NATs based on the Needs of the setup: SNAT and DNAT (sometimes FullNAT). 

Then creating the Firewall Rule sets based on what i want to achieve. 

SNAT and DNAT needs firewall rules to allow the traffic, until a "automatic Firewall Rule" comes in place - Which i will not use, because of other concerns (i did not use this option ether in UTM). 

I am using the Firewall Group feature to sort the firewalls from the beginning. Starting with a Group "DNAT" with all firewall rules, matching for my DNAT rules. Then a WAF Group, my User / zone groups. 

At the moment, i agree with you, if i change a DNAT rule, i have to change the firewall rule, to match this, this is a second layer to think about in case of changing something. 

LuCar Toni said:

At the moment, i agree with you, if i change a DNAT rule, i have to change the firewall rule, to match this, this is a second layer to think about in case of changing something. 

You caught the point!

The question is, how other points deal with such an process? 

I am always pointing out, that this is kinda complicated to deal with, if you are starting to "split" a firewall rule set, like V17.5 to V18. 

Personally speaking, the Automatic firewall rule option should resolve this issue right away, but i would not use it at all. I am not a fan of any product, which creates something at his own and put this rule anywhere in his firewall rule set. Anyways, i am simply pointing out the current status, which i am fine with it, but i understand that a missing automatic firewall rule option could be an issue for several customers. 

Uhm...Lucar in my opion, if your are a new user, what do you do without reading the guide?

I mean, already not reading  the documentation is a big problem. I always read the documentation before doing thigs (engineering approach) but think about user:

User go to Firewall, new and then.....???

You could do this:

Restore the old way to create wizard appeard in v17 "create a network rule or business rule to publish not HTTP/S servers on internet or something like that, and WAF to protect only HTTP/S web server from malicious attack"

If the user choose the first option, user remains in the current tab (firewall), if the user choose second option, the system moves the user to NAT rule. Automatic rule could help but it is still confusing.

check and reply here as it is an ad-hoc thread.

https://community.sophos.com/products/xg-firewall/sfos-eap/sfos-v18-early-access-program/f/feedback-and-issues/115802/business-rule-against-new-firewall-rule---feedback

Thanks

I think the NAT tab has to be re-envisioned again. I agree with toni that multiple NAT rules are probably the best approach for the way NAT tab is setup. However, I also like the new capability to setup one NAT rule and use it as free floating rule that is applied to multiple firewall rule.

I think the best approach here would be the capability to attach multiple firewall rules to the one/same NAT rule. That way you can have one NAT rule that is used over and over but is still attached to the firewall rules. The NAT rule order wouldn't create additional complexity this way. The way we have everything setup right now, you basically want your firewall connected rules on top and then have a generic masquerade rule on bottom if you want your traffic natted without creating a NAT rule for each firewall rule.

This is very confusing to say the least. Why XG fixes one problem and creates multiple others in every version will always be a mystery to me. 

Too complex for a simple nat rules ... 

Before, done in 2-3 clicks ! Now, we can do more complex things, but for a standart nat rules, it's so complex !

SOPHOS, beware to keep your products simple to use !

Matthieu

I agree with Matthieu.

Sophos: if you are trying to copy from UTM, I would remember you that in DNAT on UTM9,

• source was Any
• service was the external service
• destination was the WAN ip addressess or interface
• Translated to: server hosting the service
• translated service to: service running in the server

With automatic firewall rule:

• Source: Any
• Service
• destination: server hosting the service (and not the WAN ip address in v18).

In this way, from a single page (firewall tab) you can have under controls all the service open from/to other/between networks.

Anyway I created a proper thread on that:

https://community.sophos.com/products/xg-firewall/sfos-eap/sfos-v18-early-access-program/f/feedback-and-issues/115802/business-rule-against-new-firewall-rule---feedback with some personal feedback to improve the NAT/Firewall rule/WAF management under v18.

I like the new NAT (remembers me UTM) but some big changes must be implemented before go-live time.