Question on Destination NAT and Firewall Rule

Hi,

We are testing V18 in my LAB and I am confused with Firewall rule and Destination NAT policy. My configuration as like:

In the Firewall Rule, Why I need Destination HOST as "ANY". If I will choose a host IP in destination Host as my SSH server then this rule is not working. Is it a bug or some specific reason for the required "ANY" in the Destination HOST field?

Parents Reply Children
  • I think the NAT tab has to be re-envisioned again. I agree with toni that multiple NAT rules are probably the best approach for the way NAT tab is setup. However, I also like the new capability to setup one NAT rule and use it as free floating rule that is applied to multiple firewall rule.

    I think the best approach here would be the capability to attach multiple firewall rules to the one/same NAT rule. That way you can have one NAT rule that is used over and over but is still attached to the firewall rules. The NAT rule order wouldn't create additional complexity this way. The way we have everything setup right now, you basically want your firewall connected rules on top and then have a generic masquerade rule on bottom if you want your traffic natted without creating a NAT rule for each firewall rule.

    This is very confusing to say the least. Why XG fixes one problem and creates multiple others in every version will always be a mystery to me. 

  • Too complex for a simple nat rules ... 

    Before, done in 2-3 clicks ! Now, we can do more complex things, but for a standart nat rules, it's so complex !

    SOPHOS, beware to keep your products simple to use !

     

    Matthieu

  • I agree with Matthieu.

    Sophos: if you are trying to copy from UTM, I would remember you that in DNAT on UTM9,

    • source was Any
    • service was the external service
    • destination was the WAN ip addressess or interface
    • Translated to: server hosting the service
    • translated service to: service running in the server

    With automatic firewall rule:

    • Source: Any
    • Service
    • destination: server hosting the service (and not the WAN ip address in v18).

     

    In this way, from a single page (firewall tab) you can have under controls all the service open from/to other/between networks.

    Anyway I created a proper thread on that:

    https://community.sophos.com/products/xg-firewall/sfos-eap/sfos-v18-early-access-program/f/feedback-and-issues/115802/business-rule-against-new-firewall-rule---feedback with some personal feedback to improve the NAT/Firewall rule/WAF management under v18.

    I like the new NAT (remembers me UTM) but some big changes must be implemented before go-live time.