AFM Firewall and NAT policies - how to implement
Hi,
I need to implement policies for few hundreds src IP, dst IP SNAT and NAT combinations. Something like that, all related to 13.1.0.1:
For given dst IP:
- Allow traffic from given set of IPs
- For given set of dst ports change dst IP (sometimes as well as port) to given IP
For given dst IP there could be dozens of such rules.
I am looking for real life advice which way would be better - maybe because of aspects I am not aware off, like easier troubleshooting, easier log checking anything else.
Right now I can see two ways to implement:
-
One wildcard IP and port VS
- One FW policy containing all source/destination definitions
- One NAT policy containing all destination port/destination IP and port definitions
-
One VS per each destination IP (so FW rules do not need to check destination IP only source IP)
- One FW policy containing all source/destination definitions related to this dst IP
- One NAT policy containing all destination port/destination IP and port definitions
In first case I will have single policies with hundreds of rules (or rule lists in case of FW policy) - seems harder to figure out what is in fact configured (sure filtering can be used)
In second case it is easier to figure out what was set for given destination IP
I am a bit lost here what would be better for real life management, maintenance and troubleshooting.
What is complicating things even more some configuration has to be repeated for both FW and NAT policy.
For example (at least in my test) NAT policy has to have Destination IP configured (same one as in Firewall policy). I can understand the reason for that but it makes space for mistakes, for example different dst IP in FW policy that in matching NAT policy.
I hoped it could be resolved by applying NAT policy to VS - so it automatically pick up VIP and will use it as destination, but it seems not be a case.
Any advice highly appreciated.
Piotr