Managing DNAT rules

The table of DNAT rules is displayed in the firewall template and on the CPE device:

• To display the table of DNAT rules in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the NAT → DNAT tab.
• To display the table of DNAT rules on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, and select the Firewall settings → NAT → DNAT tab.

Information about DNAT rules is displayed in the following columns of the table:

• Name is the name of the DNAT rule.
• Incoming contains the criteria according to which the firewall applies the DNAT rule to traffic packets:
• Redirect to is the destination IP address and port of traffic packets after the DNAT rule is applied.

Creating a DNAT rule

You can create a DNAT rule in a firewall template or on a CPE device. A DNAT rule created in a firewall template is automatically created on all CPE devices that use this firewall template.

To create a DNAT rule:

1. Create a DNAT rule in one of the following ways:
   • If you want to create a DNAT rule in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the NAT → DNAT tab.
   • If you want to create a DNAT rule on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Firewall settings → NAT → DNAT tab, and select the Override check box.

   A table of DNAT rules is displayed.

2. Click + DNAT.
3. This opens a window; in that window, in the Name field, enter the name of the DNAT rule. Maximum length: 255 characters.
4. Specify the criteria according to which the firewall must apply the DNAT rule to traffic packets:
   1. In the Protocol drop-down list, select the protocol of traffic packets to which the firewall applies the DNAT rule:
      • IP
      • TCP
      • UDP
      • # for custom or non-standard protocol. If you select this value, in the displayed Protocol number field, enter the protocol number in accordance with the IANA standard.
   2. In the Destination IP field, enter the destination IPv4 address or prefix of traffic packets to which the firewall applies the DNAT rule.
   3. If you want to apply the DNAT rule only to traffic packets with the specified source firewall zone, in the Source zone drop-down list, select a created firewall zone.
   4. If in the Protocol drop-down list, you selected TCP or UDP, and you want to apply the DNAT rule only to traffic packets with the specified destination port, enter the port number in the Destination port field. Range of values: 1 to 65,535.
   5. If you want to apply the DNAT rule only to traffic packets with the specified source IPv4 address or prefix, in the Source IP field, enter an IPv4 address or prefix.
5. Specify how the DNAT rule modifies traffic packets:
   1. In the Destination IP field, enter a new IPv4 destination address or prefix.
   2. In the Destination zone drop-down list, select the new destination firewall zone.
   3. If in the Protocol drop-down list, you selected TCP or UDP, and you want to change the destination port number of traffic packets, enter a new port number in the Destination port field. Range of values: 1 to 65,535.
6. Click Create.

   The DNAT rule is created and displayed in the table.

7. In the upper part of the settings area, click Save to save the settings of the firewall template or CPE device.

Configuring the order of DNAT rules

DNAT rules are applied to traffic packets in descending order, starting with the first DNAT rule at the top of the table. By default, DNAT rules are displayed in the table in the order of creation. The earlier a DNAT rule was created, the higher it is displayed in the table.

You can configure the order in which DNAT rules are applied in a firewall template or on a CPE device. The order in which DNAT rules are applied, which is specified in the firewall template, is automatically propagated to all CPE devices that use this firewall template.

To configure the order in which DNAT rules are applied:

1. Edit the order in which the DNAT rules are applied in one of the following ways:
   • If you want to configure the order in which DNAT rules are applied in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the NAT → DNAT tab.
   • If you want to configure the order in which DNAT rules are applied on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Firewall settings → NAT → DNAT tab, and select the Override check box.

   A table of DNAT rules is displayed.

2. Configure the order in which DNAT rules are applied by clicking the Up and Down buttons next to it.
3. In the upper part of the settings area, click Save to save the settings of the firewall template or CPE device.

Disabling or enabling a DNAT rule

You can disable or enable a DNAT rule in a firewall template or on a CPE device. A DNAT rule enabled or disabled in a firewall template is automatically enabled or disabled on all CPE devices that use this firewall template.

To disable or enable a DNAT rule:

1. Disable or enable a DNAT rule in one of the following ways:
   • If you want to disable or enable a DNAT rule in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template and in the displayed settings area, select the NAT → DNAT tab.
   • If you want to disable or enable a DNAT rule on a CPE device, go to the SD-WAN menu section → CPE, click the CPE device, in the displayed settings area, select the Firewall settings → NAT → DNAT tab and select the Override check box.

   A table of DNAT rules is displayed.

2. Click Disable or Enable next to the DNAT rule that you want to disable or enable.

   The DNAT rule is disabled or enabled.

3. In the upper part of the settings area, click Save to save the settings of the firewall template or CPE device.

Editing a DNAT rule

You can edit a DNAT rule in a firewall template or on a CPE device. A DNAT rule modified in a firewall template is automatically modified on all CPE devices that use this firewall template.

To edit a DNAT rule:

1. Edit a DNAT rule in one of the following ways:
   • If you want to edit a DNAT rule in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the NAT → DNAT tab.
   • If you want to edit a DNAT rule on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Firewall settings → NAT → DNAT tab, and select the Override check box.

   A table of DNAT rules is displayed.

2. Click Edit next to the DNAT rule that you want to edit.
3. This opens a window; in that window, if necessary, edit the DNAT rule settings. For a description of the settings, see the instructions for creating a DNAT rule.
4. Click Save.

   The DNAT rule is modified and updated in the table.

5. In the upper part of the settings area, click Save to save the settings of the firewall template or CPE device.

Deleting a DNAT rule

You can delete a DNAT rule in a firewall template or on a CPE device. A DNAT rule deleted in a firewall template is automatically deleted on all CPE devices that use this firewall template.

Deleted DNAT rules cannot be restored.

To delete a DNAT rule:

1. Delete a DNAT rule in one of the following ways:
   • If you want to delete a DNAT rule in a firewall template, go to the SD-WAN → Firewall templates menu section, click the firewall template, and select the NAT → DNAT tab.
   • If you want to delete a DNAT rule on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, select the Firewall settings → NAT → DNAT tab, and select the Override check box.

   A table of DNAT rules is displayed.

2. Click Delete next to the DNAT rule that you want to delete.
3. In the confirmation window, click Delete.

   The DNAT rule is deleted and is no longer displayed in the table.

4. In the upper part of the settings area, click Save to save the settings of the firewall template or CPE device.