Hi,

I am running R80.30 HFA 237  and have got request from customer to have access to some dynamic destinations customer.cdn.cloudflare.net . I have created DNS FQDN object .customer.cdn.cloudflare.net. In access rulebase then I do have source host10.20.30.40 and destination .customer.cdn.cloudflare.net . It works as expected. But issue is, that I have to do (hide) NAT to an public IP 77.78.1.1 . Further more, that public IP is not directly on gateway, but it is routed towards gateway.

I am wonder, how it might behave, if I create as source object host10.20.30.40_NAT with automatic NAT to 77.78.1.1 and use it in rule to destination .customer.cdn.cloudflare.net . And in rest of the access rulebase still will be used "no NAT" object host10.20.30.40 .

Or, alternatively, I did not find how in R80.30 NAT rulebase is behaving, if it is also column based match or first match? In such case I might be able to create "no NAT" rules for given source host in NAT rulebase and on the very bottom added host10.20.30.40 to Internet with hide NAT 77.78.1.1 .

I am aware, that dynamic objects in NAT are fixed in R81, but I could not upgrade in near future.

Thank you for any opinion or suggestion.