Applies To: Cloud-managed Fireboxes
By default, a cloud-managed Firebox changes the source IP address for outbound traffic to the primary IP address of the external network the traffic leaves. You can optionally configure a dynamic NAT rule or firewall policy to set a different source IP address for traffic it sends through a specific network. When you select a source IP address, dynamic NAT uses the specified source IP address for any traffic that matches the dynamic NAT rule or policy.
Whether you specify the source IP address in a dynamic NAT rule or in a firewall policy, it is important that the source IP address is on the same subnet as the primary or secondary IP address of the network from which the traffic is sent. It is also important to make sure that the traffic the rule applies to goes out through only one network.
If the dynamic NAT source IP address is not on the same subnet as the primary or secondary IP address of the outgoing network for that traffic, the Firebox does not change the source IP address for each packet to the source IP address specified in the dynamic NAT rule. Instead, it changes the source IP address to the primary IP address of the network from which the packet is sent.
Set the Source IP Address in a Dynamic NAT Rule
If you want to set the source IP address for traffic that matches a dynamic NAT rule, regardless of any policies that apply to the traffic, add a dynamic NAT rule that specifies the source IP address. The source IP address you specify must be on the same subnet as the primary or secondary IP address of the network the traffic leaves.
If the To location in the network dynamic NAT rule specifies an alias, such as Any-External, that includes more than one interface, the source IP address is used only for traffic that leaves an interface that has an IP address on the same subnet as the source IP address.
For example, if:
- Your Firebox has two external networks:
- Ext1, IP address 203.0.113.2
- Ext2, IP address 192.0.2.2
- You create a dynamic NAT rule for all traffic to Any-External.
- In the dynamic NAT rule, you set a source IP address of 203.0.113.80.
The result is:
- For traffic that leaves Ext1, the source IP address is the IP address in the dynamic NAT rule, 203.0.113.80.
- For traffic that leaves Ext2, the source IP address is the Eth1 interface IP address, 192.0.2.2.
For more information, see Configure Dynamic NAT.
Set the Source IP Address in a Firewall Policy
If you want to set the source IP address for traffic handled by a specific firewall policy, configure the source IP address in the network settings of the policy. The source IP address you specify must be on the same subnet as the primary or secondary IP address of the interface you specified for outgoing traffic in the policy.
We recommend that you do not use the Set source IP option in the NAT settings of a Firewall policy if you have more than one external network configured on your Firebox. If you use the Set source IP option in a policy, do not enable SD-WAN with failover in the policy settings.
For more information, see Configure Dynamic NAT in a Firewall Policy.