If multiple NAT policies are configured, how does an FW match packets with them

21

An FW matches packets with NAT policies in the top-down sequence. If the packets match a NAT policy, the FW processes the packets based on the policy and stops matching the packets with other NAT policies.

Other related questions:
Packet matching principles when multiple NAT policies are configured
If multiple NAT policies are configured, the firewall matches packets based on the list of policies from top to bottom. If a policy is matched, the firewall stops matching other policies.

In what order does an applied traffic policy take effect on S series switches
For S series switches (except the S1700), a traffic policy can be applied in the system view, interface view, and VLAN view simultaneously. When applying a traffic policy in multiple views, configure the traffic policy in the sequence of interface view, VLAN view, and system view. When multiple traffic policies are applied in different views and packets simultaneously match different traffic policies, the traffic policies take effect in the following orders: - If traffic classification rules in the traffic policies are of the same type, that is, the rules are all user-defined ACL rules, Layer 2 rules, or Layer 3 rules, only one traffic policy takes effect. The traffic policy that takes effect depends on the view in which the traffic policy has been applied. The view priority is as follows: interface view > VLAN view > system view. - For cards of modular switches except X series cards and fixed switches S5700HI, S5700EI, S5710EI, S5720EI, S5710HI, S6700EI, S6720EI, and S6720S-EI, if traffic classification rules in the traffic policies are of different types and actions in traffic behaviors do not conflict, traffic policies in all views take effect. If actions in traffic behaviors conflict, only one traffic policy takes effect and the traffic policy that takes effect is relevant to rules. The rule priority is as follows: Layer 2 rule and Layer 3 rule > advanced ACL6 rule > basic ACL6 rule > Layer 3 rule > Layer 2 rule > user-defined ACL rule. - For X series cards of modular switches and E series and S series fixed switches S600-E, S1720GFR, S1720GW-E, S1720GWR-E, S2720, S2750, 5700SI, S5700LI, S5700S-LI, S5720LI, S5720S-LI, S5710-X-LI, S5720SI, S5720S-SI, and S5720HI, if traffic classification rules in the traffic policies are of different types, the traffic policy in only one view takes effect and the traffic policy that takes effect is relevant to the view in which it is applied. The view priority is as follows: interface view > VLAN view > system view. It is recommended that you configure the traffic policy based on the priority. Otherwise, the configured traffic policy may not take effect immediately. Note: MQC cannot be configured on the S2700SI.

Does an FW support NAT if I disable stateful inspection on the FW
Yes. The FW supports NAT after stateful inspection is disabled on the FW.

Matching order of packets when multiple pairs of traffic classifiers and traffic behaviors are defined in a traffic policy
For S series switches (except the S1700): For X series cards of modular switches, the matching order depends on priorities of traffic classifiers, that is, the value of the precedence precedence-value parameter in the traffic classifier command. A smaller value indicates a higher priority. For cards of modular switches except X series cards: - config: The matching order depends on priorities of traffic classifiers, that is, the value of the precedence precedence-value parameter in the traffic classifier command. A smaller value indicates a higher priority. - auto: The matching order depends on priorities of traffic classifier types predefined on the system. The traffic classifiers based on the following information are in descending order of priority: Layer 2 and Layer 3 information, advanced ACL6 rule, basic ACL6 rule, Layer 2 information, Layer 3 information, and user-defined ACL rule. If actions in traffic behaviors do not conflict, all the matching traffic classifiers and traffic behaviors take effect. If actions in traffic behaviors conflict, the traffic classifier and traffic behavior with the highest priority of traffic classifier type takes effect. For S series fixed switches S600-E, packets match traffic classifiers and traffic behaviors according to the sequence in which the traffic classifiers and traffic behaviors are configured. If the first traffic classifier is not matched, the switch matches packets with the second traffic classifier, and so on. If the packets match a traffic classifier, the switch does not match the packets with subsequent traffic classifiers. Only the first pair of the matching traffic classifier and traffic behavior takes effect. For S series modular switches, you can specify the matching order of rules in the traffic policy when creating a traffic policy. The matching orders are classified into the configuration order (config) and automatic order (auto). For other fixed switches, see "How Does the Switch Match Packets When Multiple Pairs of Traffic Classifiers and Traffic Behaviors Are Defined in a Traffic Policy?" in FAQ-QoS.

Which source address shall I specify in a security policy on an FW configured with a source NAT policy
Specify a private address (source address) in a security policy on an FW. The private address is the one that is used before source NAT is performed. The FW matches packets with a security policy before enforcing a NAT policy. If the packets match the security policy, the FW performs source NAT for the packets. If the packets do not match the security policy, the FW discards the packets.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top