Add a DNAT rule with server access assistant
The server access assistant helps you create destination NAT (DNAT) rules for inbound traffic to an internal server.
These rules translate incoming traffic to servers, such as web, mail, SSH, or other servers and remote desktops. The assistant automatically creates the following rules:
- Inbound NAT rule: DNAT rule that translates traffic from the WAN zone to the internal server.
- Loopback NAT rule: DNAT rule that translates traffic from internal users to the server.
- Outbound NAT rule: SNAT rule that translates outbound traffic from the server. It's called a reflexive rule in the NAT rule configuration.
- Firewall rule: Allows inbound traffic to the server.
If you want specific settings, you can edit the rules later.
Use Server access assistant
Select the server access assistant from one of the following options:
- Go to Rules and policies > NAT rules, select IPv4 or IPv6 and click Add NAT rule. Select Server access assistant (DNAT).
- Go to Rules and policies > Firewall rules, select protocol IPv4 or IPv6 and click Add firewall rule. Click New firewall rule and select Server access assistant (DNAT).
Specify the settings:
- Go to Rules and policies > NAT rules, select IPv4 or IPv6, and click Add NAT rule.
- Go to Rules and policies > Firewall rules, select IPv4 or IPv6, and click Add firewall rule.
Select Server access assistant (DNAT).
For Internal server IP address, specify the internal server you want users to access. Use one of the following options:
- Select the server's IP host.
- Enter the IP address you want to assign to the server.
For Public IP address, use one of the following options:
- Select the WAN interface or the IP host for your public IP address.
- Enter your network's public IP address.
To automatically create a loopback DNAT rule, select a firewall interface instead of a public IP address.
For Services, select the internal server's service (port and protocol combination).
For External source networks and devices, select the source networks and devices from which users can access the internal server.
To enable internal users to access the server, select Any. This setting is required for the firewall to create a loopback DNAT rule.
Review the settings and rules, then click Save and finish.
The assistant adds the rules at the top of the NAT and firewall rule tables and turns them on by default.
The reflexive and loopback rule names include the name and rule ID of the DNAT rule you created. The firewall rule name includes the DNAT rule name.
Reposition the NAT and firewall rules in the corresponding rule tables to meet your requirements.
The firewall evaluates rules from the top in the order shown until it finds a rule that matches the traffic.
The firewall only creates a loopback DNAT rule to translate internal traffic to the server if you select the following options:
- Set Public IP address to the WAN interface. If you use a public IP address, traffic enters the firewall through any interface, and the DNAT rule's inbound interface is set to Any. If a loopback rule is automatically created, it will have the same inbound interface setting.
- Set External source networks and devices to Any. It includes networks in the WAN and internal zones.
The DNAT and loopback rules then have the same traffic-matching settings, and the firewall applies the rule that first matches the traffic.
Server access assistant versus manual DNAT rules
You can edit the rules the assistant creates and manually select specific settings. The following are examples of times you must manually edit rules created with the server access assistant:
- The firewall doesn't translate the Source networks and Services you configure in the assistant. It sets the Translated source and Translated service to
- When you set the Original destination to an alias IP address, the firewall sets its physical interface as the Translated source in the SNAT and loopback rules. To use the alias address instead, create an IP host for the alias and manually set it as the Translated source.
If you change the settings of the NAT rules you created, update the required firewall rule settings.
Comparison of settings and options
The assistant enables you to create quick and simple configurations. The DNAT rule offers more options and enables you to specify more complex settings.
The following table shows the corresponding manual settings for the assistant.
|Server access assistant
Internal server IP address
A single IP address or IP host.
IP address, IP range, IP list, or network.
Public IP address
A single IP address, IP host, or any interface.
Any interface or host (IP address, IP list, IP range, network, country, FQDN, MAC address, or MAC list).
Common and custom services. You must create custom services in advance.
To configure port translation, edit the rules later and select a service under Translated service.
Common and custom services. You can create custom services here.
External source networks and devices
Any host, including system hosts.