Still getting grips to everything so would love your help in understanding the behaviour of traffic when it is NATed and allowed.
Thank you a bunch!!!
This default behavior trips up a lot of people when they first start working with a zone based firewall, but it's fairly standard across all zone based firewall vendors. If you have a proper DMZ setup and handle your NAT entries correctly it's not a big issue, but it has certainly caused some people to unintentionally expose services because they didn't properly account for the behavior.
Thanks for the reply @BPry .
The intrazone-default rule is useful in that as I am not using a complete zero-trust design, so for it to automatically alow traffic in the same zones is most useful like inside-to-inside but not as useful say outside-to-outside.
Yes, I see that creating individual rules is not efficient when you can create a security rule such as outside-to-outside block any service and port (since the traffic is already explicitly permitted would be above this block any rule).
I'd essentially create however many explicitly defined intrazone blocking rules for zones of which traffic I do not want to hit the intrazone-default rule.
Thank you for taking the time to reply and clarify! Hopefully, I've made sense with the above!
I think, your Security Policy & NAT should be like this -
A DNAT rule from outside-to-inside that NATs 18.104.22.168:22 which translates to 192.168.1.1:22
A security policy that from outside-to-inside traffic for 22.214.171.124:22 - Same as you have written
With this, i dont think if it will match default intrazone policy. When you're putting DNAT for outside-to-outside zone, so it is matching intrazone policy as firewall is considering destination zone as outside due to wrong DNAT policy. This is because in packet processing, firewall evaluates NAT first. If you make changes in DNAT rule as given above, it will match correct security policy written by you.
Hope it helps!
Thank you for your response @SutareMayur .
I don't think that NAT will work? NAT works on PRE-NAT public addresses and thus their PRE-NAT zones. Only the security policy works with the true final destination zone i.e. inside once the lookup is performed
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!