Method used to configure the security policy after the NAT policy is configured

27

After source NAT or destination NAT is configured, you can configure the security policy as follows:
After source NAT is configured, configure the source IP address for packet filtering as the IP address before the NAT.
After NAT Server, intrazone destination NAT, or SLB is configured, configure the destination IP address for packet filtering as the IP address after the NAT.

Other related questions:
Method used to configure security policies in L2TP dial-up access scenario on the USG6000
L2TP packets are transmitted over the Untrust and Local zones. Decapsulated packets are transmitted over the DMZ (security zone where the VT interface resides) and Trust zones.

Whether the source address specified in the security policy is the translated address when the source NAT policy is configured
The source address specified in the security policy is the address before NAT when the source NAT policy is configured. When the firewall translates an address in a packet, it searches for the interzone security policy. The firewall translates only the address that passes the security policy check and matches the conditions defined in the interzone policy. Therefore, the source address specified in the interzone security policy is the address before NAT, that is, the private IP address.

Command for configuring a security policy on the USG6000
The procedure for configuring a security policy on the USG6000 is as follows: 1. Run the security-policy command to access the security policy view from the system view. 2. Run the rule name rule-name command to create a security policy rule in the security policy view and access the security policy rule view. 3. Define the match conditions of the security policy. (Run different commands based on various functions. For details, see "Configuring a Security Policy Using the CLI" in the product documentation.) 4. Run the action { permit | deny } command to configure the action for the security policy rule. For configuration details, see "Configuring a Security Policy Using the CLI" in the product documentation.

Which source address shall I specify in a security policy on an FW configured with a source NAT policy
Specify a private address (source address) in a security policy on an FW. The private address is the one that is used before source NAT is performed. The FW matches packets with a security policy before enforcing a NAT policy. If the packets match the security policy, the FW performs source NAT for the packets. If the packets do not match the security policy, the FW discards the packets.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top