BUG - logviewer and linked NAT rules

Question

Hi folks, 
 I have been trying workout why some of my linked NAT rules show no use. 
 Background. 
 I Built EAP3 and used my v17 backup as the configuration method. 
 I deleted all the default linked NAT rules and created one generic NAT rule. This does not work well for traffic between internal networks. So I added a none MASQ rule to cover connections between internal networks but you need one for each internal network rule.. This was not required in V17. 
 The XG appears to slow down after I removed all the linked NAT rules, throughput was fine just web pages became very slow to load. 
 So to overcome this issue I added linked NAT rules for all external connection firewall rules, both IP4 and IPv6. 
 All active firewall rules are passing traffic but eh associated linked NAT rules are not. 
 According to the logviewer I have two firewall rules using the same linked NAT rule even though the firewall rules are shown associated to different linked NAT rules. 
 I have one firewall rule for my VoIP phones which uses NAT rule 0 and not the associated linked NAT rule. 
 
 Maybe this explains why my DPI is working on devices without CAs installed eg IoT devices? 
 Also intermittently some sites take two attempts to establish a secure connection and then other times during the day they will not connect at all. 
 
 Devs please feel free to login and investigate, Pankti of the EAP reporting team has the current access details.

Ian

rfcat_vk · Answer

Chasing red herrings, the website that used to work reliably has become unreliable, I tested via my phone hotspot and received the same failed negotiating error with both safari and FF. 
 Ian 
 Interesting observations after having fixed the NAT configuration, still not sure why some firewalll rules were using a generic NAT instead of the linked NAT rule? Site looks are faster with the linked NATs than with a generic NAT.

PMParth · Answer

NAT rule table (Linked as well as normal) is traversed from top to bottom and rule is triggered where criteria is matched. Linked NAT rule has the fw rule id in the matching criteria. However, if there is any other rule (for example say blanket Any-Any NAT rule) on top of the Linked NAT that matches the traffic, that will trigger. 
 For MASQ requirement on outgoing traffic, we are improving NAT with the introduction of NAT wizard, default SNAT MASQ rule and better UI placement. This would make things easier for such use cases. 
 There is only case where traffic hits firewall rule but associated Linked NAT rule is not triggered, that is - if a DNAT rule is already matched for a traffic initially, Linked SNAT will NOT again be traversed for that traffic post firewall table. And SNAT decision configured in the matched DNAT rule (This can be called full NAT or mixed NAT scenario) will apply for SNAT. 
 We have published how-to video guide exclusive for NAT enhancements in v18. This covers SNAT, DNAT and PAT with deployment examples; explains migration from v17.x, caveats, additional details and troubleshooting guidance. Here is the how-to video guide link: NAT Configurations in XG firewall v18 . 
 Also, here is the FAQs link that helps understand New decoupled NAT and firewall changes in SFOS v18: https://community.sophos.com/products/xg-firewall/sfos-eap/sfos-v18-early-access-program/f/recommended-reads/116102/understanding-new-decoupled-nat-and-firewall-changes-in-v18 
 Thank you very much for your support.