- Title Page
- Introduction & Preface
- Logging into the FireSIGHT System
- Using Objects and Security Zones
- Managing Devices
- Setting Up an IPS Device
- Setting Up Virtual Switches
- Setting Up Virtual Routers
- Setting Up Aggregate Interfaces
- Setting Up Hybrid Interfaces
- Using Gateway VPNs
- Using NAT Policies
- Getting Started with Access Control Policies
- Blacklisting Using Security Intelligence IP Address Reputation
- Tuning Traffic Flow Using Access Control Rules
- Controlling Traffic with Network-Based Rules
- Controlling Traffic with Reputation-Based Rules
- Controlling Traffic Based on Users
- Controlling Traffic Using Intrusion and File Policies
- Understanding Traffic Decryption
- Getting Started with SSL Policies
- Getting Started with SSL Rules
- Tuning Traffic Decryption Using SSL Rules
- Understanding Intrusion and Network Analysis Policies
- Using Layers in Intrusion and Network Analysis Policies
- Customizing Traffic Preprocessing
- Getting Started with Network Analysis Policies
- Using Application Layer Preprocessors
- Configuring SCADA Preprocessing
- Configuring Transport & Network Layer Preprocessing
- Tuning Preprocessing in Passive Deployments
- Getting Started with Intrusion Policies
- Tuning Intrusion Rules
- Tailoring Intrusion Protection to Your Network Assets
- Detecting Specific Threats
- Limiting Intrusion Event Logging
- Understanding and Writing Intrusion Rules
- Blocking Malware and Prohibited Files
- Logging Connections in Network Traffic
- Working with Connection & Security Intelligence Data
- Analyzing Malware and File Activity
- Working with Intrusion Events
- Handling Incidents
- Configuring External Alerting
- Configuring External Alerting for Intrusion Rules
- Introduction to Network Discovery
- Enhancing Network Discovery
- Configuring Active Scanning
- Using the Network Map
- Using Host Profiles
- Working with Discovery Events
- Configuring Correlation Policies and Rules
- Using the FireSIGHT System as a Compliance Tool
- Creating Traffic Profiles
- Configuring Remediations
- Using Dashboards
- Using the Context Explorer
- Working with Reports
- Understanding and Using Workflows
- Using Custom Tables
- Searching for Events
- Managing Users
- Scheduling Tasks
- Managing System Policies
- Configuring Appliance Settings
- Licensing the FireSIGHT System
- Updating System Software
- Monitoring the System
- Using Health Monitoring
- Auditing the System
- Using Backup and Restore
- Specifying User Preferences
- Importing and Exporting Configurations
- Purging Discovery Data from the Database
- Viewing the Status of Long-Running Tasks
- Command Line Reference
- Security, Internet Access, and Communication Ports
- Third-Party Products
- glossary
Using NAT Policies
A network address translation (NAT) policy determines how the system achieves routing with network address translation. You can configure one or more NAT policies, which you can then apply to one or more managed devices. Each device can have one currently applied policy.
You add NAT rules to a policy to control how the system handles network address translations. Each rule contains a set of conditions that identify the specific traffic you want to translate. You can create the following types of rules:
- static, which provide one-to-one translations on destination networks and optionally port and protocol
- dynamic IP, which translate many-to-many source networks, but maintain port and protocol
- dynamic IP and port, which translate many-to-one or many-to-many source networks and port and protocol
The system matches traffic to static translations before dynamic translations are inspected. The system then matches traffic to dynamic NAT rules in order; the first-matched rules handle the traffic. See Organizing Rules in a NAT Policy for more information.
If you have access control policies in your deployment, the system does not translate traffic until it has passed through access control.
To configure and apply NAT policies on your appliances, you must have a Control license enabled on each of your target managed devices. Additionally, you can only apply NAT policies to Series 3 devices with configured virtual routers or hybrid interfaces.
After you have configured and deployed NAT policies, you can use the command line interface (CLI) for managed device targets to troubleshoot the deployment. The CLI displays three types of NAT information: configuration, rule definitions, and active translations. See Command Line Reference for more information.
See the following sections for more information on creating and managing NAT policies:
Planning and Implementing a NAT Policy
You can configure NAT policies in different ways to manage specific network needs. This section provides information for some of the ways you can deploy NAT policies.
Caution In clustered configurations, only select an individual peer interface for a static NAT rule on a clustered device if all networks affected by the NAT translations are private. Do not use this configuration for static NAT rules affecting traffic between public and private networks.
You can configure NAT to expose an internal server to an external network. In this configuration, you define a static translation from an external IP address to an internal IP address so the system can access an internal server from outside the network. Traffic sent to the server targets the external IP address or IP address and port, and is translated into the internal IP address or IP address and port. Return traffic from the server is translated back to the external address.
You can configure NAT to allow an internal host or server to connect to an external application. In this configuration, you define a static translation from an internal address to an external address. This definition allows the internal host or server to initiate a connection to an external application that is expecting the internal host or server to have a specific IP address and port. Therefore, the system cannot dynamically allocate the address of the internal host or server.
You can configure NAT to hide private network addresses from an external network by using a block of IP addresses. This becomes useful if you want to obscure your internal network addresses and have sufficient external IP addresses to satisfy your internal network needs. In this configuration, you create a dynamic translation that automatically converts the source IP address of any outgoing traffic to an unused IP address from your externally facing IP addresses.
You can configure NAT to hide private network addresses from an external network using a limited block of IP addresses and port translation. This becomes useful if you want to obscure your internal network addresses, but have an insufficient number of external IP addresses to satisfy your internal network needs. In this configuration, you create a dynamic translation that automatically converts the source IP address and port of outgoing traffic to an unused IP address and port from your externally facing IP addresses.
Configuring NAT Policies
To configure a NAT policy, you must give the policy a unique name and identify the devices, or targets , where you want to apply the policy. You can also add, edit, delete, enable, and disable NAT rules. After you create or modify a NAT policy, you can apply the policy to all or some targeted devices.
You can apply NAT policies to a device cluster, including clustered stacks, as you would a standalone device. However, you can define static NAT rules for interfaces on individual clustered devices or the entire cluster and use the interfaces in source zones. For dynamic rules, you can use only the interfaces on the entire cluster in source or destination zones.
Caution In clustered configurations, only select an individual peer interface for a static NAT rule on a clustered device if all networks affected by the NAT translations are private. Do not use this configuration for static NAT rules affecting traffic between public and private networks.
If you configure dynamic NAT on a device cluster without HA link interfaces established, both clustered devices independently allocate dynamic NAT entries, and the system cannot synchronize the entries between devices. See Configuring HA Link Interfaces for more information.
You can apply NAT policies to a device stack as you would a standalone device. If you establish a device stack from devices that were included in a NAT policy and had rules associated with interfaces from the secondary device that was a member of the stack, the interfaces from the secondary device remain in the NAT policy. You can save and apply policies with the interfaces, but the rules do not provide any translation. See Managing Stacked Devices for more information.
The following table summarizes the configuration actions you can take on the NAT policy Edit page.
click the Name or Description field, delete any characters as needed, then type the new name or description. |
|
find more information at Managing NAT Policy Targets. |
|
click Save and Apply . See Applying a NAT Policy for more information. |
|
click Add Rule . See Creating and Editing NAT Rules for more information. |
|
click the edit icon ( |
|
right-click a selected rule, select
State
, then select
Disable
or
Enable
. Disabled rules are grayed and marked |
|
display the configuration page for a specific rule attribute |
click the name, value, or icon in the column for the condition on the row for the rule. For example, click the name or value in the Source Networks column to display the Source Network page for the selected rule. See Working with Different Types of Conditions in NAT Rules for more information. |
Managing NAT Policy Targets
Before you can apply a NAT policy, you must identify the managed devices, including device stacks, clusters, or groups, where you want to apply the policy. You can identify the managed devices you want to target with your policy while creating or editing a policy. You can search a list of available devices, stacks, and clusters, and add them to a list of selected devices. You can also drag and drop selected devices, or add devices using the button between the two lists.
Note that you cannot target stacked devices running different versions of the FireSIGHT System (for example, if an upgrade on one of the devices fails). See Managing Stacked Devices for more information.
The following table summarizes the actions you can take when managing targeted devices.
The following procedure explains how to configure a NAT policy to manage targeted devices. See Editing a NAT Policy for the complete procedure for editing a NAT policy.
To manage targeted devices in a NAT policy:
Step 2 Click the edit icon (
) next to the NAT policy you want to configure.
The NAT Policy Editor page appears.
Step 4 Optionally, click the Search prompt above the Available Devices list, then type a name.
The list updates as you type to display matching devices. You can click the clear icon (
) to clear the list.
Step 5 Click the device, stack, cluster, or device group you want to add. Use Ctrl and Shift to select multiple devices.
Tip You can also right-click an available device, then click Select All.
Tip You can also drag and drop to add devices.
Step 7 Optionally, click the delete icon (
) to delete a device from the list of selected devices; or, use the Ctrl and Shift keys to select multiple devices, right-click, then select
Delete Selected
.
Step 8 Click Save to save your configuration, or click Cancel to discard it.
Organizing Rules in a NAT Policy
The Edit page for the NAT policy lists static NAT rules and dynamic NAT rules separately. The system sorts static rules alphabetically by name, and you cannot change the display order. You cannot create static rules with identical matching values. The system inspects static translations for a match before it inspects any dynamic translations.
Dynamic rules are processed in numerical order. The numeric position of each dynamic rule appears on the left side of the page next to the rule. You can move or insert dynamic rules and otherwise change the rule order. For example, if you move dynamic rule 10 under dynamic rule 3, rule 10 becomes rule 4 and all subsequent numbers increment accordingly.
A dynamic rule’s position is important because the system compares packets to dynamic rules in the rules' numeric order on the policy Edit page. When a packet meets all the conditions of a dynamic rule, the system applies the conditions of that rule to the packet and ignores all subsequent rules for that packet.
Optionally, you can specify a dynamic rule’s numeric position when you add or edit a dynamic rule. You can also highlight a dynamic rule before adding a new dynamic rule to insert the new rule below the rule you highlighted. See Creating and Editing NAT Rules.
You can select one or more dynamic rules by clicking a blank space in the row for the rule. You can drag and drop selected dynamic rules into a new location, thereby changing the position of the rules you moved and all subsequent rules.
You can cut or copy selected rules and paste them above or below an existing rule. You can only paste static rules in the Static Translations list and only dynamic rules in the Dynamic Translations list. You can also delete selected rules and insert new rules into any location in the list of existing rules.
Note You can copy, but not cut static rules.
You can display explanatory warnings to identify rules that will never match because they are preempted by preceding rules.
If you have access control policies in your deployment, the system does not translate traffic until it has passed through access control.
The following table summarizes the actions you can take to organize your rules.
click a blank area in the row for a rule. Use the Ctrl or Shift key to select multiple rules. Rules you select are highlighted. |
|
click the reload icon ( |
|
right-click a blank area in the row for a selected rule, then select Cut or Copy . |
|
right-click a blank area in the row for a rule where you want to paste selected rules, then select Paste above or Paste below . |
|
drag and drop selected rules beneath a new location, indicated by a horizontal blue line that appears above your pointer as you drag. |
|
click Show Warnings ; see Working with NAT Rule Warnings and Errors. |
Working with NAT Rule Warnings and Errors
The conditions of a NAT rule may preempt a subsequent rule from matching traffic. Any type of rule condition can preempt a subsequent rule.
A rule also preempts an identical subsequent rule where all configured conditions are the same. A subsequent rule would not be preempted if any condition were different.
The following table summarizes the actions you can take to show and clear warnings.
), also clears warnings.
If you create a rule that causes the NAT policy to fail upon apply, an error icon (
) appears next to the rule. An error occurs if there is a conflict in the static rules, or if you edit a network object used in the policy that now makes the policy invalid. For example, an error occurs if you change a network object to use only IPv6 addresses and the rule that uses that object no longer has any valid networks where at least one network is required. Error icons appear automatically; you do not have to click
Show Warnings
.
Managing NAT Policies
On the NAT policy page ( Devices > NAT ), you can view all your current NAT policies by name with optional description and the following status information:
- when a policy is up to date on targeted devices, in green text
- when a policy is out of date on targeted devices, in red text
Options on this page allow you to compare policies, create a new policy, apply a policy to targeted devices, copy a policy, view a report that lists all of the most recently saved settings in each policy, and edit a policy.
Note After you have applied a NAT policy to a managed device, you cannot delete the policy, even if it is out of date. Instead, you must apply a NAT policy with no rules to remove the applied NAT rules from the managed device.
The following table describes the actions you can take to manage your policies on the NAT policy page.
click New Policy . See Creating a NAT Policy for more information. |
|
click the edit icon ( |
|
click the policy apply icon ( |
|
click the copy icon ( |
|
view a PDF report that lists the current configuration settings in a NAT policy |
click the report icon ( |
click Compare Policies . See Comparing Two NAT Policies for more information. |
|
click the delete icon ( Note After you have applied a NAT policy to a managed device, you cannot delete the policy from the device. Instead, you must apply a NAT policy with no rules to remove the applied NAT rules from the managed device. You also cannot delete a policy that is the last applied policy on any of its target devices, even if it is out of date. Before you can delete the policy completely, you must apply a different policy to those targets. |
). See 
). See Creating a NAT Policy
When you create a new NAT policy you must, at minimum, give it a unique name. Although you are not required to identify policy targets at policy creation time, you must perform this step before you can apply the policy; see Managing NAT Policy Targets. If you apply a NAT policy with no rules to a device, the system removes all NAT rules from that device.
The New NAT Policy pop-up window appears.
Step 3 Give the policy a unique Name and, optionally, a Description .
You can use all printable characters, including spaces and special characters.
Step 4 Select the Available Devices where you want to apply the policy.
Use Ctrl and Shift to select multiple devices, or right-click to
Select All
. To narrow the devices that appear, type a search string in the
Search
field. To clear the search, click the clear icon (
).
Step 5 Add the Selected Devices . You can click and drag, or you can click Add to Policy .
The NAT policy Edit page appears. For information on configuring your new policy, including adding rules, see Editing a NAT Policy. Note that you must apply the policy for it to take effect; see Applying a NAT Policy.
Editing a NAT Policy
On the NAT policy Edit page, you can configure your policy. See Configuring NAT Policies and for more information.
When you change your configuration, a message indicates that you have unsaved changes. To retain your changes, you must save the policy before exiting the NAT policy Edit page. If you attempt to exit the policy Edit page without saving your changes, you are cautioned that you have unsaved changes; you can then discard your changes and exit the policy, or return to the policy Edit page.
To protect the privacy of your session, after 60 minutes of inactivity on the policy Edit page, changes to your policy are discarded and you are returned to the NAT page. After the first 30 minutes of inactivity, a message appears and updates periodically to provide the number of minutes remaining before changes are discarded. Any activity on the page resets the timer.
When you attempt to edit the same policy in two browser windows, you are prompted whether to resume your edit in the new window, discard your changes in the original window and continue editing in the new window, or cancel the second window and return to the policy Edit page.
When multiple users edit the same policy concurrently, a message for each user on the policy Edit page identifies other users who have unsaved changes. Any user who attempts to save changes is cautioned that saving changes will overwrite changes by other users. When multiple users save the same policy, the last saved changes are retained.
If you change the type of an interface to a type that is not valid for use with a NAT policy that targets a device with that interface, the policy labels the interface as deleted. Click Save in the NAT policy to automatically remove the interface from the policy.
Step 2 Click the edit icon (
) next to the NAT policy you want to configure.
The NAT policy Edit page appears.
Step 3 To configure your policy, take any of the actions described in Configuring NAT Policies.
Step 4 Save or discard your configuration. You have the following choices:
- To save your changes and continue editing, click Save.
- To save your changes and apply your policy, click Save and Apply . See Applying a NAT Policy.
You must apply your policy to put your changes into effect.
Your changes are discarded and the NAT page appears.
Copying a NAT Policy
You can copy and rename a NAT policy. A policy you copy includes all policy rules and configurations.
Step 2 Click the copy icon (
) next to the NAT policy you want to configure.
The Copy NAT Policy pop-up window appears.
Step 3 Enter a unique policy Name .
You can use any printable characters, including spaces and special characters.
Your copy appears on the NAT page in alphabetical order by name.
Viewing a NAT Policy Report
A NAT policy report is a record of the policy and rules configuration at a specific point in time. You can use the report for auditing purposes or to inspect the current configuration.
Tip You can also generate a NAT comparison report that compares a policy with the currently applied policy or with another policy. For more information, see Comparing Two NAT Policies.
A NAT policy report contains the sections described in the following table.
Identifies the name of the policy report, the date and time the policy was last modified, and the name of the user who last modified it. |
|
Provides the name and description of the policy, the name of the user who last modified the policy, and the date and time the policy was last modified. See Editing a NAT Policy. |
|
Lists the managed devices targeted by the policy. See Managing NAT Policy Targets. |
|
Provides the rule type and conditions for each rule in the policy. See Creating and Editing NAT Rules. |
|
Provides the name and configuration of all individual objects and group objects used in the policy, by type of condition (Zones, Networks, and Ports) where the object is configured. |
Step 2 Click the report icon (
) next to the policy for which you want to generate a report. Remember to save any changes before you generate a NAT policy report; only saved changes appear in the report.
The system generates the report. Depending on your browser settings, the report may appear in a pop-up window, or you may be prompted to save the report to your computer.
Comparing Two NAT Policies
To review policy changes, you can examine the differences between two NAT policies. You can compare any two policies or the currently applied policy with another policy. Optionally, after you compare, you can then generate a PDF report to record the differences between the two policies.
There are two tools you can use to compare policies:
- The comparison view displays only the differences between two policies in a side-by-side format. The name of each policy appears in the title bar on the left and right sides of the comparison view except when you select Running Configuration , in which case a blank bar represents the currently active policy.
You can use this to view and navigate both policies on the web interface, with their differences highlighted.
- The comparison report creates a record of only the differences between two policies in a format similar to the policy report, but in PDF format.
You can use this to save, copy, print, and share your policy comparisons for further examination.
For more information on understanding and using policy comparison tools, see the following sections:
Using the NAT Policy Comparison View
The comparison view displays both policies in a side-by-side format, with each policy identified by name in the title bar on the left and right sides of the comparison view. When comparing two policies other than the running configuration, the time of last modification and the last user to modify are displayed with the policy name.
Differences between the two policies are highlighted:
- Blue indicates that the highlighted setting is different in the two policies, and the difference is noted in red text.
- Green indicates that the highlighted setting appears in one policy but not the other.
You can perform any of the actions in the following table.
click Previous or Next above the title bar.
The double-arrow icon ( |
|
|
The Select Comparison window appears. See Using the NAT Policy Comparison Report for more information. |
|
|
The policy comparison report creates a PDF document that lists only the differences between the two policies. |
) centered between the left and right sides moves, and the
Difference
number adjusts to identify which difference you are viewing.Using the NAT Policy Comparison Report
A NAT policy comparison report is a record of all differences between two NAT policies or a policy and the currently applied policy identified by the policy comparison view, presented in PDF format. You can use this report to further examine the differences between two policy configurations and to save and disseminate your findings.
You can generate a NAT policy comparison report from the comparison view for any policies to which you have access. Remember to save any changes before you generate a policy report; only saved changes appear in the report.
The format of the policy comparison report is the same as the policy report, with one exception: the policy report contains all configurations in the policy, while the policy comparison report lists only those configurations that differ between the policies. A NAT policy comparison report contains the sections described in the NAT Policy Report Sections table.
Step 2 Click Compare Policies .
The Select Comparison window appears.
Step 3 From the Compare Against drop-down list, select the type of comparison you want to make:
The page refreshes and the Policy A and Policy B drop-down lists appear.
The page refreshes and the Policy, Revision A and Revision B drop-down lists appear.
The page refreshes and the Target/Running Configuration A and Policy B drop-down lists appear.
Step 4 Depending on the comparison type you selected, you have the following choices:
- If you are comparing two different policies, select the policies you want to compare from the Policy A and Policy B drop-down lists.
- If you are comparing two different revisions, select the policy, then select the revisions you want to compare from the Revision A and Revision B drop-down lists.
- If you are comparing the running configuration to another policy, select the second policy from the Policy B drop-down list.
Step 5 Click OK to display the policy comparison view.
Step 6 Optionally, click Comparison Report to generate the NAT policy comparison report.
The NAT policy comparison report appears. Depending on your browser settings, the report may appear in a pop-up window, or you may be prompted to save the report to your computer.
Applying a NAT Policy
After making any changes to a NAT policy, you must apply the policy to one or more devices to implement the configuration changes on the networks monitored by the devices. You must target devices where you want to apply the policy before you can apply the policy. See Managing NAT Policy Targets.
Keep the following points in mind when applying NAT policies:
- You can configure and maintain multiple NAT policies on a Defense Center, but only one policy can be applied to a device at a time.
- You can apply two different NAT policies to different devices, even though they are both targets for multiple policies.
- You cannot apply a NAT policy to stacked devices running different versions of the FireSIGHT System (for example, if an upgrade on one of the devices fails). See Managing Stacked Devices for more information.
- You cannot apply a new NAT policy with a policy apply already pending.
- If you apply a device configuration that affects the interfaces in a NAT policy, the system reapplies the NAT policy on the device, including the interface changes. However, the policy remains unchanged on the DC and the interface displays an error icon (
).
Note Applying an empty NAT policy removes all NAT rules from a device.
See the following sections for more information:
- Applying a Complete NAT Policy explains how to use the quick-apply option to apply the NAT policy.
- Applying Selected Policy Configurations explains how to select and apply configurations within the NAT policy.
Applying a Complete NAT Policy
You can apply a NAT policy at any time. Applying a NAT policy also applies any associated rule configurations, objects, and policy changes to the devices targeted by the policy. A pop-up window allows you to apply all changes together as a single quick-apply action.
To quick-apply a complete NAT policy:
Step 2 Click the apply icon (
) next to the policy you want to apply.
The Apply NAT Rules pop-up window appears.
Alternatively, you can click Save and Apply on the policy Edit page; see Editing a NAT Policy.
Your policy apply task is queued. Click OK to return to the NAT page.
Tip You can monitor the progress of the policy apply task on the Task Status page (System > Monitoring > Task Status).
Applying Selected Policy Configurations
You can use the detailed policy apply page to apply changes to your NAT policy and to any designated targeted devices. The detailed page lists each device targeted by the policy and provides a column for the NAT policy by device. You can specify whether to apply changes to a NAT policy for each targeted device that is out of date.
To apply selected NAT policy configurations:
Step 2 Click the apply icon (
) next to the policy you want to apply.
The Apply NAT Rules pop-up window appears.
Alternatively, you can click Save and Apply on the policy Edit page; see Editing a NAT Policy.
The detailed Apply NAT Rules pop-up window appears.
Tip You can also open the pop-up window from the NAT page (Devices > NAT) by clicking on an out-of-date message in the Status column for the policy.
Step 4 Select or clear the NAT policy check box next to the device name to specify whether to apply the NAT policy to a targeted device.
Step 5 Click Apply Selected Configurations .
Your policy apply task is queued. Click OK to return to the NAT page.
Tip You can monitor the progress of the policy apply task on the Task Status page (System > Monitoring > Task Status).
Creating and Editing NAT Rules
A NAT rule is simply a set of configurations and conditions that:
You create and edit NAT rules from within an existing NAT policy. Each rule belongs to only one policy.
The web interface for adding or editing a rule is similar. You specify the rule name, state, type, and position (if dynamic) at the top of the page. You build conditions using the tabs on the left side of the page; each condition type has its own tab.
The following list summarizes the configurable components of a NAT rule.
Give each rule a unique name. For static NAT rules, use a maximum of 22 characters. For dynamic NAT rules, use a maximum of 30 characters. You can use printable characters, including spaces and special characters, with the exception of the colon (
:
).
By default, rules are enabled. If you disable a rule, the system does not use it to evaluate network traffic for translation. When viewing the list of rules in a NAT policy, disabled rules are grayed out, although you can still modify them.
A rule’s type determines how the system handles traffic that matches the rule’s conditions. When you create and edit NAT rules, the configurable components vary according to rule type.
For detailed information on rule types and how they affect translation and traffic flow, see Understanding NAT Rule Types.
Dynamic rules in a NAT policy are numbered, starting at 1. The system matches traffic to NAT rules in top-down order by ascending rule number.
When you add a rule to a policy, you specify its position by placing it above or below a specific rule, using rule numbers as a reference point. When editing an existing rule, you can Move the rule in a similar fashion. For more information, see Organizing Rules in a NAT Policy.
Rule conditions identify the specific traffic you want to translate. Conditions can match traffic by any combination of multiple attributes, including security zone, network, and transport protocol port.
For detailed information on adding conditions, see Understanding NAT Rule Conditions and Condition Mechanics and Working with Different Types of Conditions in NAT Rules.
Step 2 Click the edit icon (
) next to the NAT policy where you want to add a rule.
The NAT policy Edit page appears.
Step 3 Add a new rule or edit an existing rule:
) next to the rule you want to edit.Either the Add Rule or the Editing Rule page appears.
Tip You can use the right-click context menu to perform many rule creation and management actions; see Using the Context Menu. You can also drag and drop rules to change their order.
Step 4 Configure the rule components, as described earlier in this section. You can configure the following, or accept the defaults:
Static rules must include an original destination network.
Dynamic rules must include a translated source network.
Your changes are saved. You must apply the NAT policy for your changes to take effect; see Applying a NAT Policy.
Understanding NAT Rule Types
Every NAT rule has an associated type that:
The following list summarizes the NAT rule types.
Static rules provide one-to-one translations on destination networks and optionally port and protocol. When configuring static translations, you can configure source zones, destination networks, and destination ports. You cannot configure destination zones or source networks.
You must specify an original destination network. For destination networks, you can only select network objects and groups containing a single IP address or enter literal IP addresses that represent a single IP address. You can only specify a single original destination network and a single translated destination network.
Optionally, you can specify a single original destination port and a single translated destination port. You must specify an original destination network before you can specify an original destination port. In addition, you cannot specify a translated destination port unless you also specify an original destination port, and the translated value must match the protocol of the original value.
Caution For static NAT rules on a a clustered device, only select an individual peer interface if all networks affected by the NAT translations are private. Do not use this configuration for static NAT rules affecting traffic between public and private networks.
Dynamic IP Only rules translate many-to-many source networks, but maintain port and protocol. When configuring dynamic IP only translations, you can configure zones, source networks, original destination networks, and original destination ports. You cannot configure translated destination networks or translated destination ports.
You must specify at least one translated source network. If the number of translated source network values is less than the number of original source networks, the system displays a warning on the rule that it is possible to run out of translated addresses before all original addresses are matched.
If there are multiple rules with conditions that match the same packet, the low priority rules become dead, meaning they can never be triggered. The system also displays warnings for dead rules. You can view tooltips to determine which rule supersedes the dead rule.
Note You can save and apply policies with dead rules, but the rules cannot provide any translation.
In some instances, you may want to create rules with limited scope preceding rules with a broader scope. For example:
In this example, rule 1 matches some packets that also match rule 2. Therefore, rule 2 is not completely dead.
Optionally, you can specify only original destination ports. You cannot specify translated destination ports.
Dynamic IP and port rules translate many-to-one or many-to-many source networks and port and protocol. When configuring dynamic IP and port translations, you can configure zones, source networks, original destination networks, and original destination ports. You cannot configure translated destination networks or translated destination ports.
You must specify at least one translated source network. If there are multiple rules with conditions that match the same packet, the low priority rules become dead, meaning they can never be triggered. The system also displays warnings for dead rules. You can view tool tips to determine which rule supersedes the dead rule.
Note You can save and apply policies with dead rules, but the rules cannot provide any translation.
Optionally, you can specify only original destination ports. You cannot specify translated destination ports.
Note If you create a dynamic IP and port rule, and the system passes traffic that does not use a port, no translation occurs for the traffic. For example, a ping (ICMP) from an IP address that matches the source network does not map, because ICMP does not use a port.
The following table summarizes the NAT rule condition types that can be configured based on the specified NAT rule type:
Understanding NAT Rule Conditions and Condition Mechanics
You can add conditions to NAT rules to identify the type of traffic that matches the rule. For each condition type, you select conditions you want to add to a rule from a list of available conditions. When applicable, condition filters allow you to constrain available conditions. Lists of available and selected conditions may be as short as a single condition or many pages long. You can search available conditions and display only those matching a typed name or value in a list that updates as you type.
Depending on the type of condition, lists of available conditions may be comprised of a combination of conditions provided directly by Cisco or configured using other FireSIGHT System features, including objects created using the object manager ( Objects > Object Management ), objects created directly from individual conditions pages, and literal conditions.
See the following sections for information on specifying rule conditions:
- Understanding NAT Rule Conditions defines the different types of rule conditions.
- Adding Conditions to NAT Rules describes the controls used to select and add rule conditions.
- Searching NAT Rule Condition Lists explains how to search available conditions and display only those matching a typed name or value in a list that updates as you type.
- Adding Literal Conditions to NAT Rules explains how to add literal conditions to a rule.
- Using Objects in NAT Rule Conditions explains how to add individual objects to the system from the configuration pages for relevant condition types.
Understanding NAT Rule Conditions
You can set a NAT rule to match traffic meeting any of the conditions described in the following table:
A configuration of one or more routed interfaces where you can apply NAT policies. Zones provide a mechanism for classifying traffic on source and destination interfaces, and you can add source and destination zone conditions to rules. See Working with Security Zones for information on creating zones using the object manager. |
|||
Any combination of individual IP addresses, CIDR blocks, and prefix lengths, either specified explicitly or using network objects and groups (see Working with Network Objects). You can add source and destination network conditions to NAT rules. |
|||
Transport protocol ports, including individual and group port objects you create based on transport protocols. See Working with Port Objects for information on creating individual and group transport protocol objects using the object manager. |
Adding Conditions to NAT Rules
Adding conditions to NAT rules is essentially the same for each type of condition. You select from a list of available conditions on the left, and add the selected conditions to one or two lists of selected conditions on the right.
For all condition types, you select one or more individual available conditions by clicking on them to highlight them. You can either click a button between the two types of lists to add available conditions that you select to your lists of selected conditions, or drag and drop available conditions that you select into the list of selected conditions.
You can add up to 50 conditions of each type to a list of selected conditions. For example, you can add up to 50 source zone conditions, up to 50 destination zone conditions, up to 50 source network conditions, and so on, until you reach the upper limit for the appliance.
The following table describes the actions you can take to select and add conditions to a rule.
select available conditions to add to a list of selected conditions |
click the available condition; use the Ctrl and Shift keys to select multiple conditions. |
right-click the row for any available condition, then click Select All . |
|
click inside the Search field and type a search string. See Searching NAT Rule Condition Lists for more information. |
|
clear a search when searching available conditions or filters |
click the reload icon ( |
add selected zone conditions from a list of available conditions to a list of selected source or destination conditions |
click Add to Source or Add to Destination . See Adding Zone Conditions to NAT Rules for more information. |
add selected network and port conditions from a list of available conditions to a list of selected original or translated conditions |
click Add to Original or Add to Translated . See Adding Source Network Conditions to Dynamic NAT Rules, Adding Destination Network Conditions to NAT Rules, or Adding Port Conditions to NAT Rules for more information. |
drag and drop selected available conditions into a list of selected conditions |
click a selected condition, then drag and drop into the list of selected conditions. |
add a literal condition to a list of selected conditions using a literal field |
click to remove the prompt from the literal field, type the literal condition, then click Add . Network conditions provide a field for adding literal conditions. |
add a literal condition to a list of selected conditions using a drop-down list |
select a condition from the drop-down list, then click Add . Port conditions provide a drop-down list for adding literal conditions. See Adding Port Conditions to NAT Rules for more information. |
add an individual object or condition filter so you can then select it from the list of available conditions |
click the add icon ( |
delete a single condition from a list of selected conditions |
|
right-click to highlight the row for a selected condition, then click Delete . |
|
delete multiple conditions from a list of selected conditions |
use the Shift and Ctrl keys to select multiple conditions, or right-click and Select All ; next, right-click to highlight the row for a selected condition, then click Delete Selected . |
). See On the relevant condition page, and also on the policy Edit page, you can hover your pointer over an individual object to display the contents of the object, and over a group object to display the number of individual objects in the group.
The following basic procedure explains how to add conditions to a new rule. See Creating and Editing NAT Rules for complete instructions on adding and modifying rules.
To add available conditions to a list of selected conditions:
Step 2 Click the edit icon (
) next to the NAT policy you want to modify.
Step 4 Click the tab for the type of condition you want to add to the rule.
The conditions page appears for the type of condition you selected.
Step 5 Take any of the available actions in the Adding Conditions to NAT Rules table.
Step 6 Click Add to save your configuration.
Your rule is added and the policy Edit page appears.
Searching NAT Rule Condition Lists
You can filter a list of available NAT rule conditions to limit the number of items displayed in the list. The list updates as you type to display matching items.
Optionally, you can search on object names and on the values configured for objects. For example, if you have an individual network object named
Texas Office
with the configured value
192.168.3.0/24
, and the object is included in the group object
US Offices
, you can display both objects by typing a partial or complete search string such as
Tex
, or by typing a value such as
3
.
The following basic procedure explains how to filter a list in a new rule. See Creating and Editing NAT Rules for complete instructions on adding and modifying rules.
To search a list of available conditions:
Step 2 Click the edit icon (
) next to the NAT policy you want to modify.
Step 4 To search a list, click inside the search field to clear the prompt, then type a search string.
The list updates as you type to display matching items and a clear list icon (
) appears in the search field. The list updates and no items are listed when none match the search string.
Step 5 Optionally, click the reload icon (
) above the
Search
field or click the clear icon (
) in the
Search
field to clear the search string.
Step 6 Click Add to save your configuration.
Your rule is added and the policy Edit page appears.
Adding Literal Conditions to NAT Rules
You can add a literal value to the list of original and translated conditions for the following condition types:
For network conditions, you type the literal value in a configuration field below the list of original or translated conditions.
In the case of port conditions, you select a protocol from a drop-down list. When the protocol is
All
and, optionally, when the protocol is
TCP
or
UDP
, you type a port number in a configuration field.
Each relevant conditions page provides the controls needed to add literal values. Values you type in a configuration field appear as red text if the value is invalid, or until it is recognized as valid. Typed values change to blue text as you type when they are recognized as valid. A grayed Add button activates when a valid value is recognized. Literal values you add appear immediately in the list of selected conditions.
See the following sections for specific details on adding each type of literal value:
Using Objects in NAT Rule Conditions
Objects that you create in the object manager ( Objects > Object Management ) are immediately available for you to select from relevant lists of available NAT rule conditions. See Managing Reusable Objects for information.
You can also create objects on-the-fly from the NAT policy. A control on relevant conditions pages provides access to the same configuration controls that you use in the object manager.
Individual objects created on-the-fly appear immediately in the list of available objects. You can add them to the current rule, and to other existing and future rules. On the relevant conditions page, and also on the policy Edit page, you can hover your pointer over an individual object to display the contents of the object, and over a group object to display the number of individual objects in the group.
Working with Different Types of Conditions in NAT Rules
You can match traffic with one or more rule conditions. See the following sections for more information:
- Adding Zone Conditions to NAT Rules explains how to match traffic by security zones that you create using the object manager.
- Adding Source Network Conditions to Dynamic NAT Rules and Adding Destination Network Conditions to NAT Rules explain how to match traffic by IP address or address block.
- Adding Port Conditions to NAT Rules explains how to match traffic by specified transport protocol ports.
Adding Zone Conditions to NAT Rules
The security zones on your system are comprised of interfaces on your managed devices. Zones that you add to a NAT rule target the rule to devices on your network that have routed or hybrid interfaces in those zones. You can only add security zones with routed or hybrid interfaces as conditions for NAT rules. See Working with Security Zones for information on creating security zones using the object manager.
You can add either zones or standalone interfaces that are currently assigned to a virtual router to NAT rules. If there are devices with unapplied device configurations, the Zones page displays a warning icon (
) at the top of the available zones list, indicating that only applied zones and interfaces are displayed. You can click the arrow icon (
) next to a zone to collapse or expand the zone to hide or view its interfaces.
If an interface is on a clustered device, the available zones list displays an additional branch from that interface with the other interfaces in the cluster as children of the primary interface on the active device in the cluster. You can also click the arrow icon (
) to collapse or expand the clustered device interfaces to hide or view its interfaces.
Note You can save and apply policies with disabled interfaces, but the rules cannot provide any translation until the interfaces are enabled.
The two lists on the right are the source and destination zones used for matching purposes by the NAT rules. If the rule already has values configured, these lists display the existing values when you edit the rule. If the source zones list is empty, the rule matches traffic from any zone or interface. If the destination zones list is empty, the rule matches traffic to any zone or interface.
The system displays warnings for rules with zone combinations that never trigger on a targeted device.
Note You can save and apply policies with these zone combinations, but the rules will not provide any translation.
You can add individual interfaces by selecting an item in a zone or by selecting a standalone interface. You can only add interfaces in a zone if the zone it is assigned to has not already been added to a source zones or destination zones list. These individually selected interfaces are not affected by changes to zones, even if you remove them and add them to a different zone. If an interface is the primary member of a cluster and you are configuring a dynamic rule, you can add only the primary interface to the source zones or destination zones list. For static rules, you can add individual cluster member interfaces to the source zones list. You can only add a primary cluster interface to a list if none of its children have been added, and you can only add individual cluster interfaces if the primary has not been added.
If you add a zone, the rule uses all interfaces associated with the zone. If you add or remove an interface from the zone, the rule will not use the updated version of the zone until the device configuration has been reapplied to the devices where the interfaces reside.
Note In a static NAT rule, you can add only source zones. In a dynamic NAT rule, you can add both source and destination zones.
The following procedure explains how to add source and destination zone conditions while adding or editing a NAT rule. See Understanding NAT Rule Conditions and Condition Mechanics for more detailed information.
To add zone conditions to a NAT rule:
Step 1 Select the Zones tab on the rule Edit page.
Step 2 Optionally, click the Search by name prompt above the Available Zones list, then type a name or value.
The list updates as you type to display matching conditions. See Searching NAT Rule Condition Lists for more information.
Step 3 Click a zone or interface in the Available Zones list. Use the Shift and Ctrl keys to select multiple conditions, or right-click and then click Select All .
Conditions you select are highlighted.
Step 4 You have the following choices:
Optionally, you can drag and drop selected conditions into the Source Zones or Destination Zones lists.
Selected conditions are added. Note that while you can add disabled interfaces to a NAT rule, the rule does not provide any translation.
Note You can add only source zones to static NAT rules.
Step 5 Save or continue editing the rule.
You must apply the NAT policy for your changes to take effect; see Applying a NAT Policy.
Adding Source Network Conditions to Dynamic NAT Rules
You configure the matching values and translation values of the source IP address for packets. If the original source network is not configured, then any source IP address matches the dynamic NAT rule. Note that you cannot configure source networks for static NAT rules. If a packet matches the NAT rule, the system uses the values in the translated source network to assign the new value for the source IP address. For dynamic rules, you must configure a translated source network with at least one value.
Caution If a network object or object group is being used by a NAT rule, and you change or delete the object or group, it can cause the rule to become invalid.
You can add any of the following kinds of source network conditions to a dynamic NAT rule:
See Working with Network Objects for information on creating individual and group network objects using the object manager.
- individual network objects that you add from the Source Network conditions page, and can then add to your rule and to other existing and future rules
See Using Objects in NAT Rule Conditions for more information.
See Adding Literal Conditions to NAT Rules for more information.
The following procedure explains how to add source network conditions while adding or editing a dynamic NAT rule. See Understanding NAT Rule Conditions and Condition Mechanics for more detailed information.
To add network conditions to a dynamic NAT rule:
Step 1 Select the Source Networks tab on the rule Edit page.
The Source Network page appears.
Step 2 Optionally, click the Search by name or value prompt above the Available Networks list, then type a name or value.
The list updates as you type to display matching conditions. See Searching NAT Rule Condition Lists for more information.
Step 3 Click a condition in the Available Networks list. Use the Shift and Ctrl keys to select multiple conditions, or right-click and then click Select All .
Conditions you select are highlighted.
Step 4 You have the following choices:
Alternatively, you can drag and drop selected conditions into the Original Source Network or Translated Source Network lists.
Conditions you selected are added.
Step 5 Optionally, click the add icon (
) above the
Available Networks
list to add an individual network object.
You can add multiple IP addresses, CIDR blocks, and prefix lengths to each network object.
Optionally, you can then select the object you added. See Working with Network Objects and Using Objects in NAT Rule Conditions for more information.
Step 6 Optionally, click the Enter an IP address prompt below the Original Source Network or Translated Source Network list; then type an IP address, range, or address block and click Add .
You add ranges in the following format: lower IP address-upper IP address. For example:
179.13.1.1-179.13.1.10
.
The list updates to display your entry. See Adding Literal Conditions to NAT Rules for more information.
Step 7 Save or continue editing the rule.
Note When you update the network conditions in a dynamic rule in use in an applied policy, the system drops any network sessions using the existing translated address pool.
You must apply the NAT policy for your changes to take effect; see Applying a NAT Policy.
Adding Destination Network Conditions to NAT Rules
You configure the matching values and translation values of the destination IP address for packets. Note that you cannot configure translated destination networks for dynamic NAT rules.
Because static NAT rules are one-to-one translations, the Available Networks list contains only network objects and groups that contain only a single IP address. For static translations, you can add only a single object or literal value to both the Original Destination Network or Translated Destination Network lists.
Caution If a network object or object group is being used by a NAT rule, and you change or delete the object or group, it can cause the rule to become invalid.
You can add any of the following kinds of destination network conditions to a NAT rule:
See Working with Network Objects for information on creating individual and group network objects using the object manager.
- individual network objects that you add from the Destination Network conditions page, and can then add to your rule and to other existing and future rules
See Using Objects in NAT Rule Conditions for more information.
For static NAT rules, you can add only a CIDR with subnet mask
/32
, and only if there is not already a value in the list.
See Adding Literal Conditions to NAT Rules for more information.
The following procedure explains how to add destination network conditions while adding or editing a NAT rule. See Understanding NAT Rule Conditions and Condition Mechanics for more detailed information.
To add destination network conditions to a NAT rule:
Step 1 Select the Destination Network tab on the rule Edit page.
The Destination Network page appears.
Step 2 Optionally, click the Search by name or value prompt above the Available Networks list, then type a name or value.
The list updates as you type to display matching conditions. See Searching NAT Rule Condition Lists for more information.
Step 3 Click a condition in the Available Networks list. Use the Shift and Ctrl keys to select multiple conditions, or right-click and then click Select All .
Conditions you select are highlighted.
Step 4 You have the following choices:
Alternatively, you can drag and drop selected conditions into the Original Destination Network or Translated Destination Network lists.
Conditions you selected are added.
Step 5 Optionally, click the add icon (
) above the
Available Networks
list to add an individual network object.
For dynamic rules, you can add multiple IP addresses, CIDR blocks, and prefix lengths to each network object. For static rules, you can add only a single IP address. Optionally, you can then select the object you added. See Working with Network Objects and Using Objects in NAT Rule Conditions for more information.
Step 6 Optionally, click the Enter an IP address prompt below the Original Destination Network or Translated Destination Network list, then type an IP address or address block and click Add .
The list updates to display your entry. See Adding Literal Conditions to NAT Rules for more information.
Step 7 Save or continue editing the rule.
Note When you update the network conditions in a dynamic rule in use in an applied policy, the system drops any network sessions using the existing translated address pool.
You must apply the NAT policy for your changes to take effect; see Applying a NAT Policy.
Adding Port Conditions to NAT Rules
You can add a port condition to a rule to match network traffic based on the original and translated destination port and transport protocol for translation. If the original port is not configured, any destination port matches the rule. If a packet matches the NAT rule and a translated destination port is configured, the system translates the port into that value. Note that for dynamic rules, you can specify only the original destination port. For static rules, you can define a translated destination port, but only with an object with the same protocol as the original destination port object or literal value.
The system matches the destination port against the value of the port object or literal port in the original destination port list for static rules, or multiple values for dynamic rules.
Because static NAT rules are one-to-one translations, the Available Ports list contains only port objects and groups that contain only a single port. For static translations, you can add only a single object or literal value to both the Original Port or Translated Port lists.
For dynamic rules, you can add a range of ports. For example, when specifying the original destination port, you can add
1000-1100
as a literal value.
Caution If a port object or object group is being used by a NAT rule, and you change or delete the object or group, it can cause the rule to become invalid.
You can add any of the following kinds of port conditions to a NAT rule:
See Working with Port Objects for information on creating individual and group port objects using the object manager.
- individual port objects that you add from the Destination Ports conditions page, and can then add to your rule and to other existing and future rules
See Using Objects in NAT Rule Conditions for more information.
See Adding Literal Conditions to NAT Rules for more information.
The following procedure explains how to add port conditions while adding or editing a NAT rule. See Understanding NAT Rule Conditions and Condition Mechanics for more detailed information.
To add destination port conditions to a NAT rule:
Step 1 Select the Destination Port tab on the rule Edit page.
The Destination Port page appears.
Step 2 Optionally, click the Search by name or value prompt above the Available Ports list, then type a name or value.
The list updates as you type to display matching conditions. See Searching NAT Rule Condition Lists for more information.
Step 3 Click a condition in the Available Ports list. Use the Shift and Ctrl keys to select multiple conditions, or right-click to select all conditions. Note that you can add a maximum of 50 conditions.
Conditions you select are highlighted.
Step 4 You have the following choices:
Step 5 Optionally, to create and add an individual port object click the add icon (
) above the
Available Ports
list.
You can identify a single port or a port range in each port object that you add. You can then select objects you added as conditions for your rule. See Using Objects in NAT Rule Conditions for more information.
For static rules, you can use only port objects with single ports.
Step 6 Optionally, to add a literal port select an entry from the Protocol drop-down list beneath the Original Port or Translated Port lists.
Enter a port, then click Add . You can specify a port number from 0 through 65535. For dynamic rules, you can specify a single port or a range.
The list updates to display your selection. See Adding Literal Conditions to NAT Rules for more information.
Conditions you selected are added
Step 7 Save or continue editing the rule.
You must apply the NAT policy for your changes to take effect; see Applying a NAT Policy.
Feedback