Question on Destination NAT and Firewall Rule

Question

Hi, 
 We are testing V18 in my LAB and I am confused with Firewall rule and Destination NAT policy. My configuration as like:

In the Firewall Rule, Why I need Destination HOST as "ANY". If I will choose a host IP in destination Host as my SSH server then this rule is not working. Is it a bug or some specific reason for the required "ANY" in the Destination HOST field?

PMParth · Accepted Answer

Hi, 
 When you create firewall rule for NAT rule in which destination is translated, you would need to match Dst zone as the ultimate zone in which the traffic would terminate (that is mostly the local zone &ndash; DMZ or LAN). However, you would (want to) match against the original destination IP (WAN IP on XG), here&rsquo;s why: 
 
 Usually one public IP would translate to different internal server IPs based on services. Admins can have one firewall access rule matching public IP; And NAT can take care of translating to different servers. 
 Also, when admins add new servers in network, they need not to again modify firewall rule. With how this is implemented now &ndash; we can just edit NAT rule and we are good to go. This is true decoupled NAT/ Enterprise NAT power. 
 Existing behavior makes it easier to configure in 1-to-Many DNAT scenario in which 1 public IP is translated against multiple local IPs. Match on the public IP adds flexibility. 
 Industry implements DNAT in similar way. With v18, XG Firewall&rsquo;s enterprise NAT capability is now at par with other competitive players. 
 
 As we are moving to the new design, some confusion is bound to happen for existing users. We will soon support our veterans with detailed FAQs on community. Improvements in on-screen assistive text and online help is already in progress, along with the how-to-videos. 
 Thank you very much for evaluating v18 early access. Appreciate your support.