Configure Policy-Based Dynamic NAT

In policy-based dynamic NAT, the XTM device maps private IP addresses to public IP addresses. Dynamic NAT is enabled in the default configuration of each policy. You do not have to enable it unless you previously disabled it.

For policy-based dynamic NAT to work correctly, use the Policy tab of the Edit Policy Properties dialog box to make sure the policy is configured to allow traffic out through only one XTM device interface.

1-to-1 NAT rules have higher precedence than dynamic NAT rules. Policy-based dynamic NAT has higher precedence than network dynamic NAT.

To configure dynamic NAT settings in a policy: 

  1. Select Firewall > Firewall Policies.
    The Firewall Policies list appears.
  2. Select a policy.
  3. From the Action drop-down list select,Edit Policy.
  4. Click the Advanced tab.

Screen shot of the Policy Configuration page - Advanced tab

  1. Select the Dynamic NAT check box.
  2. If you want to use the dynamic NAT rules set for the XTM device, select Use Network NAT Settings.
    This is the default setting.
  3. If you want to apply dynamic NAT to all traffic in this policy, select All traffic in this policy.

If you select All traffic in this policy, the XTM device changes the source IP address for each packet handled by this policy to the primary IP address of the interface from which the packet is sent, or the source IP address configured in the network dynamic NAT settings. You can optionally set a different dynamic NAT source IP address for traffic handled by this policy.

To set the source IP address in the policy:

  1. Select the Set source IP check box.
  2. In the adjacent text box, type the source IP address to use for traffic handled by this policy. This source address must be on the same subnet as the primary or secondary IP address of the interface you specified for outgoing traffic.

When you select a source IP address, any traffic that uses this policy shows the specified address from your public or external IP address range as the source. This is most often used to force outgoing SMTP traffic to show the MX record address for your domain when the IP address on the XTM device external interface is not the same as your MX record IP address.

We recommend that you do not use the Set source IP option if you have more than one external interface configured on your XTM device. If you use the Set source IP option in a policy, do not enable policy-based routing with failover in the policy settings.

For more information about dynamic NAT source IP addressing options, see About Dynamic NAT Source IP Addresses.

Disable Policy-Based Dynamic NAT 

Dynamic NAT is enabled in the default configuration of each policy. To disable dynamic NAT for a policy:

  1. Select Firewall > Firewall Policies.
    The Firewall Policies list appears.
  2. Select a policy.
    The Policies page appears.
  3. From the Action drop-down list select,Edit Policy.
  4. Click the Advanced tab.
  5. To disable NAT for the traffic controlled by this policy, clear the Dynamic NAT check box.

See Also

About Dynamic NAT

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base