Whether the NAT policy can call the address group on USG firewalls

34

Yes. address-set indicates the address group.
Configure the source IP address that requires traffic mapping.
source-address { address-set address-set-name &<1-6> | ipv4-address [ ipv4-mask-length | mask mask-address ] | ipv6-address ipv6-prefix-length | range { ipv4-start-address ipv4-end-address | ipv6-start-address ipv6-end-address } | mac-address &<1-6> | any }

Configure the destination IP address that requires traffic mapping.
destination-address { address-set address-set-name &<1-6> | ipv4-address [ ipv4-mask-length | mask mask-address ] | ipv6-address ipv6-prefix-length | range { ipv4-start-address ipv4-end-address | ipv6-start-address ipv6-end-address } | mac-address &<1-6> | any }

Other related questions:
Whether the interface address of the firewall can be an address in the address pool when the NAT policy is configured
When the NAT No-PAT and triplet NAT policies are configured, do not configure the interface address of the firewall as an interface in the NAT address pool, to prevent the impacts on the access to the firewall.

Whether the interface address of the firewall can be set to an address in the NAT address pool
When the NAT No-PAT and triplet NAT policies are configured, do not configure the interface address of the firewall as an interface in the NAT address pool, to prevent the impacts on the access to the firewall. If you set the interface address to the public IP address of NAT Server, you cannot manage the firewall using the interface address in web UI or Telnet mode or perform the ping detection on the firewall. If you need to set the interface address to the public IP address of NAT Server and remotely manage the firewall over this interface, you can enable the PAT for NAT Server and configure protocols and port numbers to narrow the address and port number translation scope, thereby avoiding the impacts on the access to the firewall.

Method used by NAT Server to call the service set on USG firewalls
NAT Server cannot call the service set.

Whether USG firewalls can avoid intranet IP address conflict
The USG firewalls can avoid intranet IP address conflict. Generally, a firewall is deployed on the top layer of a network. If the intranet traffic does not pass through the firewall, the traffic cannot be limited. Therefore, it is recommended that the traffic limitation function be configured on a lower-layer switch. By configuring IP and MAC address binding, a user even with the same IP address cannot transmit traffic over the interface, and therefore preventing the IP address conflict.

Whether the NAT policy can directly reference the address library of an ISP on the USG6000
The source NAT policy of the USG6000 cannot directly reference the address library of the ISP. You need to manually establish the address set and configure the source NAT policy to reference the address set.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top