Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
AaronCP
Advisor

Additional NAT rule 0

Good morning,

 

I have a manual static NAT rule configured in our rulebase:

 

Original Source: x.x.x.x - Original Destination: y.y.y.y - Original Service: any - Translate Source: Original - Translate Destination: z.z.z.z - Translate Service: original

 

The NAT rule itself works fine. In the logs, I can see the traffic is hitting the correct NAT rule (NAT rule 10, for example), but I can also see "NAT Additional Rule Number 0" in the logs. Initial research suggests that this is related to bi-directional NAT (which is enabled in Global Properties), but I thought this was only applied to automatic rules? Not manual? This is happening on the majority of our NAT rules, most of which are manual.

 

R80.40, take 118.

 

Can someone help clarify this, please?

 

Thanks.

 

0 Kudos
3 Replies
Timothy_Hall
Champion
Champion

I'm a bit hazy on this but NAT rule 0 applies in the following situations I can think of:

1) NAT "Hide Internal networks behind gateway's external IP" is set on the gateway/cluster object (not default setting)

2) Certain traffic to and from cluster member themselves, including control traffic

3) Traffic matching the implied Firewall policy rules (Actions...Display Implied Rules) from Security Policies tab in SmartConsole

4) Possibly lack of inspection/handling due to Wire Mode

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
net-harry
Collaborator

Hi,

I have a related question regarding NAT Additional Rule Number.

We have a NAT rule that translated various internal subnets to a hide-NAT address.

The logs that hits this NAT rule correctly shows the NAT rule number (NAT rule #8 in our case), but it also shows a "NAT Additional Rule Number". For most entries it is 1, but for some entries it is 0.

Could someone explain what this means and the reason this is happening?

Please note that:

  • NAT rule #1 does not at all match the traffic for the log entries with this behavior
  • We do not have "Hide Internal networks behind gateway's external IP" enabled on the gateways
  • We do not have "Allow bi-directional NAT" enabled in the global properties
  • This is traffic from inside subnets, not addresses on the firewalls themselves


We are running R80.40 on the MDS servers and R80.20 on the security gateways.

Thanks for your help!

Harry

0 Kudos
Timothy_Hall
Champion
Champion

Normally the NAT additional rule number should be blank unless two automatic rules were matched (one for source and one for destination), but according to sk144192:

When matching 2 automatic rules, second rule match will be shown otherwise NAT Additional Rule field will be 0.

So that explains the NAT additional rule being 0 when matching only one automatic rule.  If a manual NAT rule is matched, only that one rule can be matched and the NAT additional rule should always be blank (or maybe 0).  Not sure why the field would show 1, perhaps it is trying to indicate that only one NAT rule (a manual one) is matched?  There were some changes to NAT made in R80.40 involving GNAT & exhaustion pools and such, perhaps this behavior change in the logs is related to that?

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events