11-03-2016 06:55 AM
I am looking to add around 60+ NAT rules for monitoring over IPsec that requires a policy NAT. I need to have them above another rule in the list for it to work. It is a very messy NAT list that I don't have the freedom to clean up. The NAT entries are being added to a device group in Panorama.
Thanks in advance,
11-03-2016 03:17 PM
As I understand, in short, you want to add 60+ NAT rule to be above an existing rule.
If that is the situation, you can configure the new NAT rules, and after you are done, clone this existing NAT rule, you can choose to have the new cloned rule to be after any rule you specify. After you clone it, delete old one.
Hope this helps,
11-04-2016 07:31 AM
That would be the proper way to do it. I don't believe that you can actually do this automatically in the CLI, it's something that you have to modify after.
I really wouldn't clone your existing rule and move it, just move the NAT rule that you need above the new ones.
11-04-2016 02:27 PM
You can re-order using the CLI but you can't create rules with sequence numbers to place them where you want in the policy. (That would be a nice feature)
So if you really wanted to get the rules in order as you go, you would have to use a 'move' command after creating each nat rule.
Maybe something like this, depending on what order you want things in.
set device-group <groupname> pre-rulebase nat rules NAT1 .......
move device-group <groupname> pre-rulebase nat rules NAT1 before CURRENTNAT (or you could use 'top' instead of 'before' if you want it first)
set device-group <groupname> pre-rulebase nat rules NAT2 .......
move device-group <groupname> pre-rulebase nat rules NAT2 before CURRENTNAT (or you could use 'after NAT1' if you want it beneath)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!