Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Add a DNAT rule with server access assistant

The server access assistant helps you create destination NAT (DNAT) rules for inbound traffic to an internal server.

These rules translate incoming traffic to servers, such as web, mail, SSH, or other servers and remote desktops. The assistant automatically creates the following rules:

  • Inbound NAT rule: DNAT rule that translates traffic from the WAN zone to the internal server.
  • Loopback NAT rule: DNAT rule that translates traffic from internal users to the server.
  • Outbound NAT rule: SNAT rule that translates outbound traffic from the server. It's called a reflexive rule in the NAT rule configuration.
  • Firewall rule: Allows inbound traffic to the server.

If you want specific settings, you can edit the rules later.

Restriction

You can't simultaneously configure a DNAT rule and weighted load balancing for the same DNS host entry.

Use Server access assistant

  1. Select the server access assistant from one of the following options:

    • Go to Rules and policies > NAT rules, select IPv4 or IPv6 and click Add NAT rule. Select Server access assistant (DNAT).
    • Go to Rules and policies > Firewall rules, select protocol IPv4 or IPv6 and click Add firewall rule. Select Server access assistant (DNAT).
  2. Specify the settings:

    • Go to Rules and policies > NAT rules, select IPv4 or IPv6, and click Add NAT rule.
    • Go to Rules and policies > Firewall rules, select IPv4 or IPv6, and click Add firewall rule.
  3. Select Server access assistant (DNAT).

  4. For Internal server IP address, specify the internal server you want users to access. Use one of the following options:

    • Select the server's IP host.
    • Enter the IP address you want to assign to the server.

    The firewall checks the interface over which users can reach the internal server and sets the interface's zone as the Destination zone. Firewall rules use this as the destination zone to match traffic.

  5. For Public IP address, use one of the following options:

    • Select the WAN interface or the IP host for your public IP address.
    • Enter your network's public IP address.

    Note

    To automatically create a loopback DNAT rule, select a firewall interface instead of a public IP address.

  6. For Services, select the internal server's service (port and protocol combination).

  7. For External source networks and devices, select the source networks and devices from which users can access the internal server.

    Note

    To enable internal users to access the server, select Any. This setting is required for the firewall to create a loopback DNAT rule.

  8. Review the settings and rules, then click Save and finish.

    The assistant adds the rules at the top of the NAT and firewall rule tables and turns them on by default.

    The reflexive and loopback rule names include the name and rule ID of the DNAT rule you created. The firewall rule name includes the DNAT rule name.

  9. Reposition the NAT and firewall rules in the corresponding rule tables to meet your requirements.

    The firewall evaluates rules from the top in the order shown until it finds a rule that matches the traffic.

Loopback rule

The firewall only creates a loopback DNAT rule to translate internal traffic to the server if you select the following options:

  • Set Public IP address to the WAN interface. If you use a public IP address, traffic enters the firewall through any interface, and the DNAT rule's inbound interface is set to Any. If a loopback rule is automatically created, it will have the same inbound interface setting.
  • Set External source networks and devices to Any. It includes networks in the WAN and internal zones.

The DNAT and loopback rules then have the same traffic-matching settings, and the firewall applies the rule that first matches the traffic.

Server access assistant versus manual DNAT rules

You can edit the rules the assistant creates and manually select specific settings. The following are examples of times you must manually edit rules created with the server access assistant:

  • The firewall doesn't translate the Source networks and Services you configure in the assistant. It sets the Translated source and Translated service to Original.
  • When you set the Original destination to an alias IP address, the firewall sets its physical interface as the Translated source in the SNAT and loopback rules. To use the alias address instead, create an IP host for the alias and manually set it as the Translated source.

Note

If you change the settings of the NAT rules you created, update the required firewall rule settings.

Comparison of settings and options

The assistant enables you to create quick and simple configurations. The DNAT rule offers more options and enables you to specify more complex settings.

The following table shows the corresponding manual settings for the assistant.

Server access assistant

DNAT rule

(Manually created)

Internal server IP address

A single IP address or IP host.

Translated destination

IP address, IP range, IP list, or network.

Public IP address

A single IP address, IP host, or any interface.

Original destination

Any interface or host (IP address, IP list, IP range, network, country, FQDN, MAC address, or MAC list).

Services

Common and custom services. You must create custom services in advance.

To configure port translation, edit the rules later and select a service under Translated service.

Original service

Common and custom services. You can create custom services here.

External source networks and devices

Any host

Original source

Any host, including system hosts.

More resources