BUG - logviewer and linked NAT rules

Hi folks,

I have been trying workout why some of my linked NAT rules show no use.

Background.

I Built EAP3 and used my v17 backup as the configuration method.

I deleted all the default linked NAT rules and created one generic NAT rule. This does not work well for traffic between  internal networks. So I added a none MASQ rule to cover connections between internal networks but you need one for each internal network rule.. This was not required in V17.

The XG appears to slow down after I removed all the linked NAT rules, throughput was fine just web pages became very slow to load.

So to overcome this issue I added linked NAT rules for all external connection firewall rules, both IP4 and IPv6.

All active firewall rules are passing traffic but eh associated linked NAT rules are not.

According to the logviewer I have two firewall rules using the same linked NAT rule even though the firewall rules are shown associated to different linked NAT rules.

I have one firewall rule for my VoIP phones which uses NAT rule 0 and not the associated linked NAT rule.

 

Maybe this explains why my DPI is working on devices without CAs installed eg IoT devices?

Also intermittently some sites take two attempts to establish a secure connection and then other times during the day they will not connect at all.

 

Devs please feel free to login and investigate, Pankti of the EAP reporting team has the current access details.

 

 

Ian

Parents
  • NAT rule table (Linked as well as normal) is traversed from top to bottom and rule is triggered where criteria is matched. Linked NAT rule has the fw rule id in the matching criteria. However, if there is any other rule (for example say blanket Any-Any NAT rule) on top of the Linked NAT that matches the traffic, that will trigger.

    For MASQ requirement on outgoing traffic, we are improving NAT with the introduction of NAT wizard, default SNAT MASQ rule and better UI placement. This would make things easier for such use cases.

    There is only case where traffic hits firewall rule but associated Linked NAT rule is not triggered, that is - if a DNAT rule is already matched for a traffic initially, Linked SNAT will NOT again be traversed for that traffic post firewall table. And SNAT decision configured in the matched DNAT rule (This can be called full NAT or mixed NAT scenario) will apply for SNAT.

    We have published how-to video guide exclusive for NAT enhancements in v18. This covers SNAT, DNAT and PAT with deployment examples; explains migration from v17.x, caveats, additional details and troubleshooting guidance. Here is the how-to video guide link: NAT Configurations in XG firewall v18.

    Also, here is the FAQs link that helps understand New decoupled NAT and firewall changes in SFOS v18: https://community.sophos.com/products/xg-firewall/sfos-eap/sfos-v18-early-access-program/f/recommended-reads/116102/understanding-new-decoupled-nat-and-firewall-changes-in-v18

    Thank you very much for your support.

  • Hi PMParth,

    thank you for the in-depth explanation, but it does not answer my question about NAT 0. I have an intra-lan firewall rule that does not have a NAT rule, under V17.5 access worked without adding NAT rule. Now I can connect the device but no data is returned eg both Safari and FF return a blank screen indicating a successful connection. A refresh has no affect.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Another issue.

    I have an IPv6 rule which has a linked NAT rule. The firewall rule allows https and http with https decrypt and scanning enabled?

    Why does some traffic using the firewall rule go through the associated NAT and other traffic using the same firewall rule go through NAT rule 0?

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • I have had similar problems. I created about 12 rules ALL with connected NAT rules. When tinkering too much with firewall rules for troubleshooting, I noticed that some of my firewall rules were using NAT rule 0. I also had a couple that were using another NAT rule. For example my Netflix rule only allows netflix traffic with its own NAT but then my media players have a dedicated firewall rule for other traffic with its own NAT. Every once in a while, the logs would show firewall rule Netflix and NAT rule media player. I thought linked NAT rules couldn't be used by other firewall rules.

    My only solution was to create single LAN to WAN NAT and another NAT or two for special needs like business rules or DNS catch all rules.I have used other firewalls with NAT in every firewall rule and have never run into the problem like this. Something is seriously wrong and I really don't have time to troubleshoot at the moment.

    Regards 

Reply
  • I have had similar problems. I created about 12 rules ALL with connected NAT rules. When tinkering too much with firewall rules for troubleshooting, I noticed that some of my firewall rules were using NAT rule 0. I also had a couple that were using another NAT rule. For example my Netflix rule only allows netflix traffic with its own NAT but then my media players have a dedicated firewall rule for other traffic with its own NAT. Every once in a while, the logs would show firewall rule Netflix and NAT rule media player. I thought linked NAT rules couldn't be used by other firewall rules.

    My only solution was to create single LAN to WAN NAT and another NAT or two for special needs like business rules or DNS catch all rules.I have used other firewalls with NAT in every firewall rule and have never run into the problem like this. Something is seriously wrong and I really don't have time to troubleshoot at the moment.

    Regards 

Children