NAT (Network Address Translation) is a very basic yet necessary function that occurs on the firewall. Implementing NAT means that you are translating one IP address to another for the purposes of passing traffic through your device.
The most common type of NAT is Dynamic NAT. When Dynamic NAT occurs, the internal IP address of a device is masked when its traffic leaves the firewall. Instead, it shows as the external IP of the firewall. Dynamic NAT ensures that private IP addresses are hidden, and therefore protected.
Dynamic NAT is automatically configured on the firewall. By default, it is configured for all private IP address ranges. In order to add security and further customization to your device, you can replace the default Dynamic NAT entries with just the specific networks that reside behind your firewall.
To Review and Update Dynamic NAT Entries
1. In Policy Manager, select Network > NAT
2. You will see the pre-defined list of internal IP addresses configured in Dynamic NAT
3. To customize, you can select the pre-defined entries and click Remove
4. Click Add in the Dynamic NAT window to create a new entry
5. In the From field, enter the internal IP range that you want to create a Dynamic NAT rule for
6. In the To field, select Any-External. This will allow you to use Dynamic NAT on whichever external interface the traffic is passing through.
7. Click OK to add the entry. Repeat steps 5 & 6 for any other internal networks.
Override Dynamic NAT in Policies
It is not commonly needed, but it is possible to override the Dynamic NAT settings in a single policy. This would allow the policy to implement different Dynamic NAT settings specifically for its traffic.
1. Open the policy you would like to create the override for, and select the Advanced tab
2. You will see the NAT options at the bottom of the window. If you would like to turn Dynamic NAT off altogether, uncheck the box
3. If you would like to change the IP used for Dynamic NAT on this policy, select the option for All traffic in this policy, and check the box for Set source IP. Then enter the IP you would like the policy to use.
Monitoring Dynamic NAT
Verifying your Dynamic NAT is working can be tricky unless you know exactly where to look. If your Dynamic NAT is not configured correctly, you will only know by reviewing your traffic logs. You should see a portion of any outbound traffic log that says src_ip_nat=, followed by the external IP in use.