I have been trying workout why some of my linked NAT rules show no use.
I Built EAP3 and used my v17 backup as the configuration method.
I deleted all the default linked NAT rules and created one generic NAT rule. This does not work well for traffic between internal networks. So I added a none MASQ rule to cover connections between internal networks but you need one for each internal network rule.. This was not required in V17.
The XG appears to slow down after I removed all the linked NAT rules, throughput was fine just web pages became very slow to load.
So to overcome this issue I added linked NAT rules for all external connection firewall rules, both IP4 and IPv6.
All active firewall rules are passing traffic but eh associated linked NAT rules are not.
According to the logviewer I have two firewall rules using the same linked NAT rule even though the firewall rules are shown associated to different linked NAT rules.
I have one firewall rule for my VoIP phones which uses NAT rule 0 and not the associated linked NAT rule.
Maybe this explains why my DPI is working on devices without CAs installed eg IoT devices?
Also intermittently some sites take two attempts to establish a secure connection and then other times during the day they will not connect at all.
Devs please feel free to login and investigate, Pankti of the EAP reporting team has the current access details.
Fixed the NAT rule 0, the firewall rule NAT link was missing.
Still investigating why two firewall rules used the same NAT rule, possibly an issue with an IPv6 firewall rule.
Chasing red herrings, the website that used to work reliably has become unreliable, I tested via my phone hotspot and received the same failed negotiating error with both safari and FF.
Interesting observations after having fixed the NAT configuration, still not sure why some firewalll rules were using a generic NAT instead of the linked NAT rule? Site looks are faster with the linked NATs than with a generic NAT.
The original issue about firewall rules not using linked NAT rule still exists.. My VoIP network uses NAT 0 according to the logviewer, passes traffic correctly eg incoming phone calls.
What is NAT rule 0 and where does it live?
So basically for outgoing/incoming rules using VoIP and the SIP helper, the SIP helper acts as a proxy and bypasses the linked NAT rule which did not happen in V17.
I do have other firewall rules that use NAT rule 0 but that is because they are between internal networks.
NAT rule table (Linked as well as normal) is traversed from top to bottom and rule is triggered where criteria is matched. Linked NAT rule has the fw rule id in the matching criteria. However, if there is any other rule (for example say blanket Any-Any NAT rule) on top of the Linked NAT that matches the traffic, that will trigger.
For MASQ requirement on outgoing traffic, we are improving NAT with the introduction of NAT wizard, default SNAT MASQ rule and better UI placement. This would make things easier for such use cases.
There is only case where traffic hits firewall rule but associated Linked NAT rule is not triggered, that is - if a DNAT rule is already matched for a traffic initially, Linked SNAT will NOT again be traversed for that traffic post firewall table. And SNAT decision configured in the matched DNAT rule (This can be called full NAT or mixed NAT scenario) will apply for SNAT.
We have published how-to video guide exclusive for NAT enhancements in v18. This covers SNAT, DNAT and PAT with deployment examples; explains migration from v17.x, caveats, additional details and troubleshooting guidance. Here is the how-to video guide link: NAT Configurations in XG firewall v18.
Also, here is the FAQs link that helps understand New decoupled NAT and firewall changes in SFOS v18: https://community.sophos.com/products/xg-firewall/sfos-eap/sfos-v18-early-access-program/f/recommended-reads/116102/understanding-new-decoupled-nat-and-firewall-changes-in-v18
Thank you very much for your support.
thank you for the in-depth explanation, but it does not answer my question about NAT 0. I have an intra-lan firewall rule that does not have a NAT rule, under V17.5 access worked without adding NAT rule. Now I can connect the device but no data is returned eg both Safari and FF return a blank screen indicating a successful connection. A refresh has no affect.
I have an IPv6 rule which has a linked NAT rule. The firewall rule allows https and http with https decrypt and scanning enabled?
Why does some traffic using the firewall rule go through the associated NAT and other traffic using the same firewall rule go through NAT rule 0?
I have had similar problems. I created about 12 rules ALL with connected NAT rules. When tinkering too much with firewall rules for troubleshooting, I noticed that some of my firewall rules were using NAT rule 0. I also had a couple that were using another NAT rule. For example my Netflix rule only allows netflix traffic with its own NAT but then my media players have a dedicated firewall rule for other traffic with its own NAT. Every once in a while, the logs would show firewall rule Netflix and NAT rule media player. I thought linked NAT rules couldn't be used by other firewall rules.
My only solution was to create single LAN to WAN NAT and another NAT or two for special needs like business rules or DNS catch all rules.I have used other firewalls with NAT in every firewall rule and have never run into the problem like this. Something is seriously wrong and I really don't have time to troubleshoot at the moment.
thank you for the confirmation. I also noted that the web page connects were faster with linked rules rather than generic rules, that is why I returned to using linked NAT.