SNAT’s are commonly referred to as port forwards on other vendor platforms. See below how to create a typical RDP Port Forward from a known address. 

In Policy Manager, select Add Policy➔Packet Filters➔RDP 

The policy window appears

• Name the policy appropriately

• Add the external IP that the RDP request will initiate from. Never open an RDP port forward from ‘Any-External’

In the ‘To’ Field, select Add➔Add SNAT➔Add 

• The following window will appear:

Name the SNAT Action appropriately, then select Add 

At this point, a few items need to be addressed:

• If the primary IP on the external interface is to be utilized, that IP can be selected with Set source IP unchecked

• If the backup IP on your external is to be utilized, that IP must be added as a secondary, as follows:

  • Network➔Configuration➔Interfaces➔External Interface➔Secondary tab➔Add backup external IP referenced prior

  • Without completing this step, that backup IP address cannot be utilized, even though it may be a part of the block of static IP’s purchased from the ISP

• Below the external interface/IP section, select the type of internal address: IP or FQDN. In this scenario, IP was utilized

Set internal port to a different port

• If the RDP rule utilized in this example was not 3389, with this, the port could be forwarded to 3389. The inverse of this could be true if the server/device is configured to accept RDP on a non-standard port. Ensure that the connection incoming through the Firebox is lining up with what the end device is configured for. In the shown example, port forwarding was not necessary.

Below is the completed SNAT

Select OK➔OK➔OK➔OK 

Review the completed policy, ensuring ports on the policy, and port forwards on the SNAT Action are correct 

SNAT’s are a powerful tool in a NGFW’s arsenal. Just be cautious with how open these policies are made. Our recommendations would be to narrow the IP addresses down to as few as possible.