Add DNAT/Full NAT/Load Balancing Rule

This page describes how to configure a DNAT/Full NAT/Load Balancing (Non-web) rule.

A DNAT/Full NAT/Load Balancing based rule is used to protect non-web servers, like mail or other servers hosted inside the network (LAN or DMZ). Using this rule, you can define access rights of such servers to users who require access over the WAN or Internet.
  1. Go to Device Configuration > Protect > Firewall and select between IPv4 or IPv6 using the default filter.
  2. Now, click +Add Firewall Rule and select Business Application Rule.
  3. Specify the general rule details.
    Application Template
    Select DNAT/Full NAT/Load Balancing to configure a rule for generic Non-Web based applications.
    Description
    Specify a rule description.
    Rule Position
    Specify the position of the rule.
    Available Options: Top Bottom
    Rule Name
    Specify a name to identify the rule.
  4. Specify Source details.
    Source Zones
    Select a source zone or click Add New Item to define a new LAN or DMZ zone.
    Allowed Client Networks
    Select the allowed host(s) or add a new one by clicking Add New Item.
    Blocked Client Networks
    Select the blocked host(s)/network(s).
  5. Specify Destination & Service details.
    Firewall Version
    Choose from the following options:
    Available Options: Firewalls running on SFOS v17 Firewalls running on SFOS v16.x
    Destination Host/Network
    Select the destination host/network to apply rule. It is the public IP address through which users access an internal server/host over the Internet.
    Available Options:IP Address: Specified IP address is mapped to a corresponding mapped single IP address or a range of IP addresses. If a single IP address is mapped to a range of IP addresses, the device uses a round robin algorithm to load balance the requests. IP Range (only available for IPv4): Specified IP address range is mapped to a corresponding range a corresponding range of mapped IP addresses. The IP range defines the start and end of an address range. The start of the range must be lower than the end of the IP. Select when any of the device port, alias or virtual LAN (VLAN) sub-interface is required to be mapped to the destination host or network.
    Services
    Select the services allowed to the user. A new service can be directly created from this page.
    Add new item
    Name: Enter a name to identify the service.
    Type: Select a protocol for the service.
    Available Options:TCP/UDP: Enter Source and Destination port. You can enter multiple ports for the same service. The number of source and destination ports must not exceed 16. IP: Select Protocol Number for the service. You can select multiple ports for the same service. ICMP: Select ICMP Type and Code. You can enter multiple types and codes for the same service. Use Add icon and Remove icon to add and delete the parameters respectively. ICMPv6: Select ICMPv6 Type and Code. You can enter multiple types and codes for the same service. Use Add and Remove to add and delete the parameters.
    Figure: Firewalls Running on SFOS v17
    Forward Type
    Select the type of external port from the available options.
    Available Options: Port Port Range Port List Everything

    When Everything is selected, all ports are forwarded. Select other options to enable custom port forwarding and specify port forwarding details.

    Service Port(s) Forwarded (Not Available if Forward Type selected is Everything)
    Specify the public port number for which you want to configure port forwarding.
    Protocol (Not Available if Forward Type selected is Everything)
    Select the protocol TCP or UDP to be used by forwarding packets.
    Figure: Firewalls Running on SFOS v16.x
  6. Specify Forward To details.
    Protected Server(s)
    From the available options, select the application server(s) on which the web server is to be hosted.
    Available options: IP Address – External IP address is mapped to the specified IP address. IP Range – External IP address range is mapped to the specified IP address range. IP List – External IP address is mapped to the specified IP list. FQDN – External IP address is mapped to the specified FQDN. Internal mapped server can be accessed by FQDN. This option is only available for IPv4 Virtual hosts.
    Mapped Port Type (Available only if Change Destination Port(s) is selected)
    Select the type of mapped port from the available options.
    Available Options:Port Port Range Port List
    Note Not applicable for firewalls running on SFOS v17.
    Mapped Port (Available only if Change Destination Port(s) is selected)
    Specify the mapped port number on the destination network to which the public port number is mapped.
    Protected Zone
    Select the zone to apply web server rule.
    Change Destination Port(s)
    Select the check box to specify different mapped port. Clear the check box to use the same Service Port(s) Forwarded as mapped port.
    Figure: Forward To
  7. Specify Load balancing details.
    Load Balancing (only available if IP Range or IP List is selected for Protected Serverand IP Address is selected for Destination Host/Network)
    Select the method for load balancing from the available options.
    Available Options:Round Robin - In this method, requests are served in a sequential manner where the first request is forwarded to the first server, second request to the second server and so on. When a request is received, the device checks to see which was the last server that was assigned a request. It then assigns this new request to the next available server. This method can be used when equal distribution of traffic is required and there is no need for session-persistence. First Alive - In this method, all incoming requests are served by the first server (the first IP address that is configured in the IP range). This server is considered as the primary server and all others are considered as backup. Only when the first server fails, the requests are forwarded to the next server in line. This method is used for failover scenarios. Random - In this method, the requests are forwarded to the servers randomly. Nevertheless, the device makes sure that all configured servers receive equally distributed load. Hence, this method is also called uniform random distribution. This method can be used when equal distribution of traffic is required and there is no need for session-persistence or order of distribution. Sticky IP - In this method, along with the Round Robin distribution of traffic, the device forwards incoming traffic according to the source IP address. All traffic from a particular source is forwarded only to its mapped server. This means that all requests for a given source IP are sent to the same application server instance. This method is useful in cases where all requests or sessions are required to be processed by the same server. For example: banking websites, E-Commerce websites.
    Health Check (only available if Load Balancing is enabled)
    Click to enable a health check for failover and specify the parameters based on the description shown below.
    Port (Applicable if TCP Probe Health Check Method is selected)
    Specify the port number on the server health is monitored.
    Acceptable range: 1 to 65535
    Interval
    Specify the time interval in seconds after which the health will be monitored.
    Acceptable range: 5 to 65535 seconds
    Default: 60
    Probe Method
    Select the probe method to check the health of the server from the available options.
    Available Options:ICMP TCP
    Timeout
    Specify the time interval in seconds within which the server must respond.
    Acceptable range: 1 to 10 seconds
    Default: 2
    Retries
    Specify the number of tries to probe the health of the server, after which the server will be declared unreachable.
    Acceptable range: 1 to 10
    Default: 3
  8. Specify Identity details.
    Match known users
    Match rule based on user identity allows you to check whether the specified user/user group from the selected zone is allowed to access the selected service or not.
    Click to attach the user identity.
    Enable check identity to apply the following policies per user.
    Show Captive Portal to unknown users
    Select the check box to accept traffic from unknown users. Captive portal page is displayed to the user where the user can sign in to access the Internet.
    Clear the check box to drop traffic from unknown users.
    User or Groups (Available if 'Match known users' is selected)
    Select the user(s) or group(s) from the list of available options.
    Exclude this user activity from data accounting (Available 'if Match known users' is selected)
    Click to enable/disable user traffic activity from data accounting.

    By default, user’s network traffic is considered in data accounting. Select to exclude certain traffic from user data accounting. The traffic allowed through this firewall rule will not be accounted towards data transfer for the user.

  9. Specify advanced settings details.
    1. Specify Polices for Business Applications.
      Intrusion Prevention
      Select the required IPS policy. If Match rule based on user identity is enabled, user’s IPS policy will be applied automatically, but will not be effective till the respective module is subscribed. A new IPS policy can be created directly from this page or from the Device Configuration > Protect > Intrusion Prevention > IPS Policies page.
      Traffic Shaping Policy
      Select the required traffic shaping policy. If Match rule based on user identity is enabled, user’s traffic shaping policy will be applied automatically.
      You need to select traffic shaping policy for the rule if Match known users is not selected.
      A new traffic shaping policy can be created directly from this page or from the Device Configuration > System > Profiles > Traffic Shapping page.
    2. Specify Security Heartbeat details. (only available if IPv4 is selected).
      Minimum Source HB Permitted
      Select a minimum health status that a source device must have to conform to this rule. Health status can be either Green, Yellow or No Restriction. If the health criterion is not met, access and privileges defined in this rule will not be granted to the user.
      Block clients with no heartbeat
      Heartbeat-capable devices can be required to send information on their health status in defined intervals - this is called a heartbeat.
      Based on that information, you can restrict a source device's access to certain services and networks.
      Enable the option to require the sending of heartbeats.
      Minimum Destination HB Permitted (Not available if Protected Zone selected is WAN)
      Select a minimum health status that a destination device must have to conform to this rule. Health status can be either Green, Yellow or No Restriction. If the health criterion is not met, access and privileges defined in this rule will not be granted to the user.
      Block request to destination with no heartbeat (Not available if Protected Zone selected is WAN)
      Heartbeat-capable devices can be required to send information on their health status in defined intervals - this is called a heartbeat.
      Based on that information, you can block requests to destinations not sending heartbeat.

      Enable/disable the option to require the sending of heartbeats.

    3. Specify Routing details.
      Rewrite source address (Masquerading)
      Enable/disable to re-write the source address or specify a NAT policy.
      Create Reflexive Rule
      Enable to automatically create a reflexive firewall rule for the protected host.
      A reflexive rule has the same policies as those rules configured for the hosted server but instead of source zone to destination zone, this rule is applicable on traffic from destination zone to source zone.
      By default, the reflexive rule is not created.
      Use Outbound Address (only available if Rewrite source address is enabled)
      Select the NAT policy to be applied from the list of available NAT policies.
      A new NAT policy can be created directly from this page or from the Device Configuration > System > Profiles > Network Address Translation page.
      The default NAT policy is Masquerade.

      MASQ (Interface Default IP): IP Address of the selected Protected Zone as configured in Device Configuration > Configure > Network > Interfaces will be displayed instead of (Interface Default IP).

  10. Specify the logging option for the user application traffic.
    Log Firewall Traffic
    Click to enable logging of permitted and denied traffic.
  11. Click Save.
The non-web based rule has been created and appears on the Firewall page when the appropriate filter is set.