Please add the ability to clone NAT rules, Thanks.
Please add the ability to clone NAT rules, Thanks.
I was going to ask for this feature but then I thought to myself why? Why would you ever want to clone a NAT rule? Most NAT rules are tied and automatically created within a firewall rule. A rule or two that you create as a generic NAT rule will cover most of the other needs.
Not arguing against the capability as it already exists in UTM, was just wondering in context of XG.
Regards
I like the idea of cloning the NAT. Think about when you need to publish to the same server with the same IP listener but services (outside and inside) are different.
Yes for DNAT. For regular NAT, the rules are tied to firewall rules so how would you clone those. Only ones that can be cloned are user created rules and you probably won't have many.
In any case, more flexibility is always a good thing. I was just wondering about the thought process on why this is needed.
Regards
Bill
One of the main feature of v18 is that NAT rule have been decoupled from firewall rules. Or I just do not understand your point.
People in Sophos world are just TOO accustomed to this "Linked NAT & each firewall rule with its own NAT rule" non sens.
But again, most users and business will get 2,3, maybe 5 NAT rules in the end ? And here I mean bidirectional NAT rules. Compared to maybe hundreds firewall rules. I just do not get why one would want to clone NAT rules. Unless maybe they would have 10 Exchange servers with each of them having their own public IP address ?
Really, what we need is an auto NAT rule generator. And NAT templates.
Paul Jr
One of the main feature of v18 is that NAT rule have been decoupled from firewall rules. Or I just do not understand your point.
People in Sophos world are just TOO accustomed to this "Linked NAT & each firewall rule with its own NAT rule" non sens.
But again, most users and business will get 2,3, maybe 5 NAT rules in the end ? And here I mean bidirectional NAT rules. Compared to maybe hundreds firewall rules. I just do not get why one would want to clone NAT rules. Unless maybe they would have 10 Exchange servers with each of them having their own public IP address ?
Really, what we need is an auto NAT rule generator. And NAT templates.
Paul Jr
Ha, you make me laugh with your snide remarks and the irony that goes with it.
NAT is presented in a way that is too confusing in v18. I have deleted my vm so I am going by memory here... When you create a firewall rule, there is still an option to create a corresponding NAT rule. So technically, you can create 100 firewall rules and have 100 NAT rules. You also have an option to create a NAT rule independent of firewall rules. The order of NAT rules will apply in that case and the first rule will apply to most traffic if you have a generic rule like
NAT LAN to WAN
DNAT is still the same but they have moved it to the NAT section. The business rule creation was always too restrictive for me in previous releases so I actually like DNAT in v18 which others don't.
But your point remains, in a regular firewall, you hardly ever go to NAT section. In XG, you can and will go to NAT section every time you create a firewall rule if that rule is linked[:D]
Regards
Bill
Billybob said:The business rule creation was always too restrictive for me in previous releases so I actually like DNAT in v18 which others don't.
Business Rule creation can be improved in a way that you create the Firewall rule and the wizard helps you even on NAT creation in the same window.
I don't recall having a generic rule (NAT LAN to WAN) with unlinked firewall policies working. I believe I created a test (basic ping) with no associated / linked NAT and it not routing out the WAN gateway. I do like the concept of a global SNAT or being able to link a single SNAT to multiple policies. At least they make it easy enough to create / link the NAT in the policy, but it does feel a bit awkward creating SNAT's for every LAN to WAN policy...
Go to the NAT section. Create a new NAT rule with masquerade and at the bottom choose LAN as internal and WAN as external. If this is your only manually created NAT rule, the order doesn't matter and it will work.
Now create a new firewall rule for testing and don't do anything in the NAT section of the firewall rule.
They have a whole KB on the process https://community.sophos.com/products/xg-firewall/sfos-eap/sfos-v18-early-access-program/f/recommended-reads/116102/understanding-new-decoupled-nat-and-firewall-changes-in-v18
Regards
I tested this again, and removing the NAT with the MASQ associated with my policy results in a loss of internet connectivity. Live Logs reflect the correct Firewall rule associated with the traffic however the NAT rule is 0.
I think I had that problem in the beginning when I manually created NAT rules. I didn't reboot the firewall, but I did disable all the other rules. Now I only have these two rules for my firewall one for WAN and one for DMZ. Notice the default rule associated with firewall rule 5 that is created when doing a fresh install is disabled.
Confirming that this does work as you have described which is great! My test was somewhat botched due to it being a user/group policy and the user being moved from the group assignment and to Open Group when they authenticated to the firewall.
Rock on!
