Hey all,
We recently upgraded our MDS to R81.20 T76. At first, all seemed OK, however we ran into a NAT problem when we began installing policy to some of our perimeter gateway environments. We noticed in the logs that DNS & proxy traffic originating from the gateway itself started to get NAT'd behind a public IP (hitting a generic hide NAT rule), where prior to T76 NAT was not being applied. The logs clearly showed that prior to the policy installation traffic was hitting the cluster No NAT rule (say NAT rule 10), and post installation traffic was hitting rule 50 - the generic Hide NAT.
For years now, we've use gateway No NAT rules in all of our policies so that any traffic originating from a cluster or SMO object (from any interface) would not be subject to NAT. The NAT rule would look like this:
Original Source: Cluster/SMO Object
Original Destination: Any
Services: Any
Translated Source: Original
Translated Destination: Original
Translated Service: Original
Note: some policies don't require an RFC1918 to RFC1918 No NAT as the traffic flows are predominantly outbound to the Internet.
It appeared there was a behaviour change when using cluster or SMO objects in NAT rules post-T76, and that if traffic was routing via the Mgmt interface, the No NAT rule would still work, but if traffic to the DNS/proxy servers was routing via an internal interface that belonged to that cluster/SMO object, the No NAT would no longer be applied. We overcome this challenge by manually defining no NAT rules for traffic originating from the cluster/SMO internal interface. This did not impact production traffic. It mainly impacted gateway traffic for IPS updates, etc.
Our Diamond Engineer confirmed a behaviour change was introduced in T76 to overcome a cluster hide NAT issue (I can't locate the PRJ/PRHF reference) where a cluster/SMO object was used in the Original Source in a Hide NAT rule. It looks like the use of a cluster/SMO object used in the Original Source of a No NAT rule also fell foul of this change.
I wondered if anyone else configured their cluster/SMO No NAT rules in this way, and if you've also experienced this issue?