Overview

The Recommended Read describes the DNAT rule's behavior when the translated source isn’t selected, but SNAT still occurs for traffic that goes to the DNAT rule. 

Cause

Under the NAT rule configuration, the DNAT rule with the translated source (SNAT) is set to Original under NAT rule configuration.

• Even though nothing has been configured explicitly in the SNAT section, Sophos Firewall still masquerades the source IP for the SYN packet initiated from the Firewall to the web server. 
• This is expected behavior in cases where the appliance's base license has expired, and Sophos Firewall will forward all the traffic with masquerading.

Impact 

The admin won’t be able to see the original public IP from which users access the web server since all traffic is MASQ with a LAN IP.

Workaround