Sophos Firewall NAT Configuration

Questions and Answers

What is the purpose of linked NAT rules in Sophos Firewall?

• To enable multiple firewall rules for a single NAT rule
• To process NAT rules independently from firewall rules
• To allow configurations with no matching firewall rules required
• To create a NAT rule that follows the same criteria as a linked firewall rule (correct)

Which NAT configuration types are mentioned in the context of Sophos Firewall?

• Dual NAT and Single NAT
• SNAT and DNAT (correct)
• Network Address Translation and Port Address Translation
• Static NAT and Dynamic NAT

What do NAT rules require in order to function correctly within Sophos Firewall?

• Firewall rules to allow traffic (correct)
• At least two linked firewall rules
• Independent configurations without any firewall rules
• Presence of external DNS settings

What is one of the recommended prerequisites for configuring Advanced NAT in Sophos Firewall?

Creating and managing NAT rules (B)

What distinguishes NAT rules from firewall rules in Sophos Firewall?

NAT rules have a separate table for flexibility in configuration (B)

What does a linked NAT policy do?

Matches on the same criteria as a linked firewall rule. (A)

Which of the following is a method of NAT load balancing?

Sticky IP (A)

What can you do from the NAT rules tab?

Manage NAT ruleset and view connection translations. (B)

In the context of NAT rules, why is the order of rules important?

It impacts the processing logic of the rules. (D)

What does MASQ refer to in SNAT scenarios?

A method to mask source IP with an interface's IP. (B)

What is the primary purpose of the DNAT scenario described?

To publish a web-based application running on an internal server (C)

What is the function of the NAT rule in this DNAT configuration?

To translate the destination port from 80 to 4567 (C)

Which of the following is true about the source in the NAT rule?

The source is allowed to remain unchanged for application visibility (B)

What should the destination zone of the firewall rule be configured to match?

The DMZ where the application server resides (B)

Which security features can be applied in the firewall rule?

IPS policies and other protective measures (D)

Flashcards

NAT Rule Separation

NAT rules are processed independently from firewall rules, allowing for versatile configuration options like SNAT and DNAT within a single rule.

Linked NAT Rules

Linked NAT rules automatically inherit the matching criteria from their associated firewall rule, simplifying configuration & ensuring consistent behavior.

Linked NAT Source Translation

Linked NAT rules only require you to specify the source translation, as the destination translation is automatically derived from the linked firewall rule.

NAT Types

Sophos Firewall supports various NAT types, including SNAT (Source NAT) and DNAT (Destination NAT), allowing for flexible network address manipulation.

Firewall Rules for NAT

NAT rules require corresponding firewall rules to allow the specific traffic being translated.

Masquerading NAT

A NAT configuration technique where the outgoing traffic from a network is translated to the IP address of the interface it exits from. This is useful for hiding internal IP addresses from the outside world and ensuring that only the firewall's public IP is visible.

Default SNAT Rule

This is the default NAT rule that is automatically created when a WAN interface is added. It automatically performs masquerading SNAT on any traffic exiting the WAN interface.

NAT Load Balancing

This is a special type of SNAT rule that is used to map traffic between different networks. It allows you to create multiple virtual servers (with different IP addresses) on a single physical server.

NAT Rule Order

The NAT rule processing order is important. Rules are processed from top to bottom, so make sure any catch-all rule that applies to all traffic is placed at the bottom of the list.

Destination NAT (DNAT)

A rule that modifies the destination address and/or port of incoming traffic, allowing external users to access an internal application. This is done by translating the public IP address and port to the internal server's IP address and port.

What is the DMZ?

The DMZ (Demilitarized Zone) is a network segment between the public internet and the internal network. It's used to host applications that need to be accessible from the public internet but are not in the secure internal network.

Destination Zone in DNAT

The zone where the application server resides. The firewall rule matches the pre-NAT destination zone, meaning it checks the original destination before any translation.

Original Service in DNAT

The original port that the client connects to, typically port 80 for HTTP. This port is translated to a specific port on the internal server (e.g., port 4567) using DNAT.

Study Notes

Sophos Firewall NAT Configuration

• Sophos Firewall version 19.0v2
• Copyright 2022 Sophos Limited
• Document cannot be used without permission
• Sophos and the Sophos logo are registered trademarks
• Other names and logos may be trademarks of Sophos Limited or other owners

NAT Configuration

• NAT rules exist in a separate table from firewall rules
• Linked NAT rules match firewall rules' criteria.
• Source translation is the only needed criteria for linked NAT rules
• Linked NAT rules are primarily for migrating from version 17.5
• Replacing linked NAT rules with standard NAT rules is recommended.
• Fewer NAT rules than firewall rules are generally needed
• Easier to convert pre-existing rulesets to Sophos Firewall
• Simple environments may only need a single SNAT masquerading rule.
• NAT rules still need firewall rules for traffic

NAT Packet Flow

• Packet arrival, marking and NAT lookup
• Destination zone is changed by DNAT/Full NAT (if matched)
• Firewall matches based on post-NAT destination zone and pre-NAT IP address.
• DNAT/Full NAT rules or (secondary) SNAT rules or linked NAT rules translate afterwards.
• Packet is delivered after all processes.

Supported NAT Types

• SNAT (source NAT)
• Dynamic IP and port mappings internally
• Modify source port/IP address
• DNAT (destination NAT)
• Many-to-one, one-to-one, one-to-many
• Modify destination port/IP address
• Reflexive policy- One-click in UI for allowing traffic in opposite direction
• Loopback policy- One-click in UI for internal traffic access using a firewall's external IP
• Linked NAT policy- SNAT rule with the same criteria as the linked firewall rule
• NAT load balancing
• Round robin, random, sticky IP, first-alive, one-to-one

NAT Rules Tab

• Manage, reorder, and view connection details
• Create NAT or DNAT rules using server access assistant
• Video available for in-depth configuration
• Reseting usage counts and unlinking from firewall rules possible

Masquerading SNAT Scenario

• Masquerading SNAT of all traffic for WAN Port2
• Create a single NAT rule for this

Default SNAT Rule

• Default SNAT rule matches using outbound interface criteria
• The MASQ policy translates source addresses to those of interfaces.
• The default rule will update if WAN interfaces are added

DNAT Scenario

• DNAT (destination NAT) for publishing an application
• Firewall rule is needed to allow the traffic and a NAT rule to change destination
• Change destination from a public IP on WAN to a system internal port

DNAT Scenario-Firewall Rule and NAT Rule

• Firewall rules permit traffic and matching conditions
• Destination zone must match application server zone (eg #1)
• Service type (eg HTTP or port 80)
• Destination networks/devices (eg #1)
• NAT rules- Source and Translated source are identical, thus no translation needed
• Translated destination is set to the applications server
• Translated services will be the same as original eg HTTP port 80

Reflexive NAT Rule

• Reflexive policy, loopback policy options are available simultaneously to the DNAT rule
• Create SNAT from internal source to the Internet (eg protected server)

Loopback NAT Rule

• Internal users access resources with public IP addresses
• Perform SNAT for the connection.

NTP Proxy Scenario

• Set up a Sophos Firewall as an NTP proxy
• NAT to accept NTP requests on an interface for either forwarding to internal or external NTP servers.

DNS Server Enforcement

• Ensures trusted DNS servers
• Use NAT to intercept DNS requests and redirect them
• Configuration necessary to ensure reliable DNS functionality

Things To Remember

• Matching criteria for linked NAT rules is firewall ID
• Migration from v17.5 preserves rule ordering (firewall rules and NAT rules)
• Gateway-specific NAT/override policies are not part of NAT rules
• DNAT rules take precedence in device access
• For example: a DNAT rule on port 22 prevents access to that port by a firewall

Local NAT Policy

• Configure the source IP addresses for system-generated traffic
• By default, the system-generated traffic leaves with the IP address of the interface
• Local NAT policies permit to choose a different source IP address for certain destinations.

Description

This quiz covers the configuration of NAT rules in Sophos Firewall version 19.0v2. Learn about the differences between linked and standard NAT rules, and understand the NAT packet flow process. Test your knowledge on how to effectively manage NAT configurations in firewall settings.