Usman Shaikh

Domain objects in NAT policy

Discussion created by Usman Shaikh on Oct 7, 2018
Latest reply on Oct 8, 2018 by Kaspars Zibarts

Hi Experts


We current have a manual hide NAT in place for our internet traffic that translates our internal addresses to a publicly routable address on the external interface (call it eth1) of the firewall when accessing ALL Non-RFC addresses

 We now have a requirement to set up NAT for Azure Microsoft peering that uses a different outgoing interface (eth2) on the same firewall that is on a different public subnet(Routing is already setup using BGP for MS prefixes to go out via eth2)

Since the destination is this case is dynamic Microsoft domains only, I was thinking along the lines of using Domain objects in order to avoid creating (and then manage) individual network objects that represent Microsoft IP prefixes.. However domain objects can only be used in access policy rules and not in NAT rules; therefore I am looking for best possible way to achieve this 

(Additionally I would like to use a pool of translated addresses and not having to use just the interface address due to limittion of 65k sessions)

Deployment: VSX on R80.10


Desired rulebase

RuleOriginal SourceOriginal Destination

Translated Source

(Example only)

Trasnlated Destination

(IP on eth1 subnet)

Azure-AccessInternal-Networks<Microsoft Domains> -

(IP range on eth2 subnet)