How NAT configurations are processed

Firewall rules allow or drop traffic entering and exiting the network. NAT rules translate IP addresses for traffic the firewall rule allows. So, you must create firewall rules even if you've created NAT rules.

If Sophos Firewall doesn't find a firewall rule that matches the traffic criteria, it drops the traffic and logs the event. If it doesn't find a matching NAT rule, it allows the traffic to flow but doesn't translate the IP address.

For NAT rules, the matching criteria are the original (pre-NAT) source, destination, and service, and the inbound and outbound interfaces.

The order in which Sophos Firewall looks up and applies NAT and firewall rules is as follows:

• Outgoing traffic: Sophos Firewall applies the firewall rule first and then the SNAT rule.

• Incoming traffic: Sophos Firewall looks up the DNAT rule first to determine the translated (post-NAT) destination. It then matches the firewall rule based on the source and destination zones, source and destination networks, services, and schedule. For the destination zone, it uses the zone to which the translated (post-NAT) destination belongs.

  Example

  For traffic from the WAN or the LAN zones to your web server in the DMZ, you can create a DNAT rule to translate your public IP address (original destination) to the web server's IP address (translated destination).

  When packets arrive, Sophos Firewall looks up the DNAT rule. It identifies the zone containing the translated destination that you specified. In this example, it identifies DMZ as the destination zone.

  So, to create a firewall rule matching this traffic, you must set the destination zone to DMZ.

  For an example of how to create a DNAT rule and the corresponding firewall rule, see Create DNAT and firewall rules for internal servers.