Question on Destination NAT and Firewall Rule

Hi,

We are testing V18 in my LAB and I am confused with Firewall rule and Destination NAT policy. My configuration as like:

In the Firewall Rule, Why I need Destination HOST as "ANY". If I will choose a host IP in destination Host as my SSH server then this rule is not working. Is it a bug or some specific reason for the required "ANY" in the Destination HOST field?

Parents
  • Hi,

    When you create firewall rule for NAT rule in which destination is translated, you would need to match Dst zone as the ultimate zone in which the traffic would terminate (that is mostly the local zone – DMZ or LAN). However, you would (want to) match against the original destination IP (WAN IP on XG), here’s why:

    1. Usually one public IP would translate to different internal server IPs based on services. Admins can have one firewall access rule matching public IP; And NAT can take care of translating to different servers.
    2. Also, when admins add new servers in network, they need not to again modify firewall rule. With how this is implemented now – we can just edit NAT rule and we are good to go. This is true decoupled NAT/ Enterprise NAT power.
    3. Existing behavior makes it easier to configure in 1-to-Many DNAT scenario in which 1 public IP is translated against multiple local IPs. Match on the public IP adds flexibility.
    4. Industry implements DNAT in similar way. With v18, XG Firewall’s enterprise NAT capability is now at par with other competitive players.

     As we are moving to the new design, some confusion is bound to happen for existing users. We will soon support our veterans with detailed FAQs on community. Improvements in on-screen assistive text and online help is already in progress, along with the how-to-videos.

    Thank you very much for evaluating v18 early access. Appreciate your support.

  • PMParth said:

    Thank you very much for evaluating v18 early access. Appreciate your support.

     

    Stop deleting replies and keep them. No one is offensive here. We are users and our feedbacks keep you improving!

    You have to take bad and good feedbacks.

    Hope for a better collaboration from you. 
    Kind regards 

Reply Children
  • Have to agree with Luk here. I have always supported sophos for not censoring the posts no matter how offensive. This new trend is quite alarming. This is a technical discussion and the users are expressing their concerns about the product. If this is not what you guys want to hear then change the beta (EAP) format to bug reports only with a generic form that the users fill out.

    Frankly, v18 should have been called v17.6. I don't know why we got the impression from unknown sources that this is a complete rewrite of the underlying XG architecture. It is not a rewrite. Same old daemons doing same old stuff with a little more lipstick on the GUI end. The firewall has become completely bloated with 4GB being the minimum ram requirement. The load average on the appliance while idling is alarmingly high.

    V18 is mostly an effort to streamline certain aspects that people found really confusing or were completely missing for unknown reason. NAT being one of them. Most people want a single SNAT rule where all internal traffic is natted to external interface. Very few people ever need DNATS and so on. 

    Before v18 SNAT was very limited in what it could accomplish and the rules were hidden from a user. Those rules are now shown on a different screen. Nobody wants to look at 50 corresponding SNAT rules. This is just not efficient. A call for redesign is not a dig at sophos but a request to make it easy for everyone NOT JUST SOPHOS EMPLOYEES or people that already understand iptables firewalls.

    In any case, the alarming trend of comment deletion must STOP NOW. You guys are better than this.