Advanced NAT options for firewall rules
I have seen multiple forum posts about this and there's also some feature requests that all come down to the same issue: managing NATs kind of sucks on the XG!
On a user rule, the only thing we can do is masquerade. That's not always useful. There's no way to control DNAT and SNAT options in a good way. We don't have a proper way to set up a 1-to-1 NAT for a full network other than creating two business rules that are really not made for this purpose. It's completely unintuitive and not well designed.
The Network Address Translation objects are under System - Profiles - ? Doesn't really make sense either. The only options for those objects are a name and an IP. Which IP are we talking about? Source or Destination? Pre or Post NAT?
We need to be able to NAT entire networks easily. It's quite a common scenario in enterprise networks to have overlapping subnets that need to be NATed. Sometimes masquerading works, other times it's not sufficient. Why can't there be a place to define a NAT rule that can be applied to any firewall rule?
This needs to be addressed and is yet another very basic component of a firewall that XG can't deal with or at least not well until today.
Version 18 is decoupling NAT from firewall rules and providing a lot more flexibility around NAT policies. Please try it out – I think it should resolve your use cases.