Making the most of XG Firewall v18 – Part 5

Sophos ProductsXGXG FirewallXG Firewall v18

Network address translation (NAT).

Anyone who’s tried to configure network address translation (NAT) rules knows how challenging this can be. But it doesn’t have to be.

Sophos XG Firewall includes an all-new powerful but intuitive NAT capability for source NAT (SNAT), destination NAT (DNAT), and other network translation tasks that actually makes NAT easy.

The new NAT rules are found on the Rules and Policies Screen.

There are a few different types of address translation tasks that are covered by the new NAT rules in XG Firewall v18:

  • Source network address translation (SNAT) translates internal private IP addresses to a public IP address, dramatically reducing the consumption of public IP addresses, which have now been exhausted.
  • Destination network address translation (DNAT) or port forwarding is commonly used to publish a service located on the private network to the publicly accessible IP address. Port address translation or PAT is a subset of DNAT that translates private IP addresses to the public IP address via port numbers.
  • NAT hairpinning, or loopback, or NAT reflection is a combination of address translation that permits access of a service via the public IP address from inside the private network, thus facilitating two-way communication via the public IP address and simplifying domain name resolution.

NAT migration from previous versions

Those familiar with NAT in previous versions of XG Firewall will know SNAT was bound to firewall rules and DNAT was combined with WAF in creating business application rules.  In XG Firewall v18, all NAT rules are now together in the new NAT rules tab, providing much better visibility and a more intuitive set of tools to build more powerful and flexible NAT rules.  Linked NAT and firewall rules are still supported for those who prefer that model, but we strongly encourage you to explore the benefits of the new NAT rule scheme and the tools provided.

In order to maintain compatibility, when you upgrade to v18 from previous versions of XG Firewall, you will find several NAT rules have been created automatically.  In fact, there will be one new SNAT rule created and linked to each firewall rule that was previously using masquerading (MASQ), and one DNAT rule for each business application rule.

Depending on your previous NAT utilization and firewall rule structure, many of the SNAT rules for LAN to WAN traffic may now be redundant.  The firewall is unable to consolidate these rules automatically to ensure compatibility, but you can certainly consolidate them manually.

Simply delete any unnecessary, redundant NAT rules as long as you have one matching rule at the bottom of the rule list that will catch all firewall matching criteria necessary.  Take advantage of the new filter and sort options available to help with migration housekeeping by looking at all linked NAT rules that were created during migration.

Making the most of NAT in XG Firewall v18

The new NAT capabilities are both powerful and easy to use.  For example, creating a port forwarding or DNAT rule has never been easier, thanks to the new server access assistant wizard.

You just need to provide a few vital pieces of information such as the internal host, the services, and the external access criteria, and the wizard will take care of the rest, creating the necessary NAT rules for you.

To learn more about how to make the most of the new NAT rules in XG Firewall v18, watch this helpful how-to video, which is also conveniently linked right from the top of the NAT rules screen in the product.

Read the rest of the series

Here’s a summary of the resources available to help you make the most of the new features in XG Firewall v18, including the new zero-day threat protection capabilities:

If you’re new to Sophos XG Firewall, learn more about the great benefits and features XG Firewall can deliver to your network.

Leave a Reply

Your email address will not be published.