Network Address Translation (NAT) rules

Kaspersky NGFW supports network address translation (NAT) and network address port translation (NAPT). Such translation can replace (translate) traffic components passing through Kaspersky NGFW with values specified in NAT and NAPT translation rules. The rules consist of criteria by which the traffic is selected for translation, and the translation parameters, which replace the values of the traffic components that match the criteria.

When creating a translation rule, you can configure the following parameters:

• Traffic is selected for translation by the following parameters:
  • Source IP addresses, ranges of IP addresses, ports, ranges of ports, and security zones
  • Destination IP addresses, ranges of IP addresses, ports, ranges of ports, and security zones
  • Services (protocols and ports)
• Addresses and ports are translated by the following parameters:
  • Source IP addresses, ranges of IP addresses
  • Destination IP addresses, ranges of IP addresses, ports

Information about the sessions in which the translation rule was applied to the traffic is displayed in the table of sessions in the Session manager section. Reverse network address translation is also applied to response packets transmitted within a session to which a NAT or NAPT rule was applied.

If you enabled logging of events in the Firewall → General section, information about the sessions in which a NAT or NAPT rule was applied to traffic, as well as information about the translation rules triggering, is recorded in the security event log. Information about the results of translation (translated address and port) is recorded in the session log.

Types of translation rules

The Kaspersky NGFW solution supports the following types of translation rules:

• Static NAT replaces the original IP address with the IP address specified in the rule.
• Masquerading replaces all source IP addresses with a specific IP address or one of the IP addresses specified in the rule, and traffic is transmitted from this address. A new port is opened for each connection to identify the sender and recipient and to transmit the return traffic. The port is closed after the session ends.
• Dynamic source NAT replaces the original source IP address with the first unoccupied IP address among those specified in the rule. The IP address that replaced the original IP address cannot be occupied until the session ends.
• Static destination NAPT reserves the external destination port specified in the rule, and all incoming traffic on this port is translated to the internal IP address and port specified in the rule.

Order of translation rules

NAT and NAPT rules are applied to traffic in the order of rule priority that is set when a rule is created. The lower the numerical priority value of the rule, the higher the priority of the rule and the earlier it is triggered. Rules in the table are sorted in decending order of priority (lower numbers at the top of the table). Rules are matched to traffic in order of priority; the first matching rule is applied to the traffic and the rest of the rules are not checked.

If you do not specify a priority when creating a rule, by default, the new rule has the lowest priority (that is, it gets the largest priority number) and is added to the end of the list.

If you have enabled at least one translation rule and you are using routes for traffic, these functions are applied in the following order:

• For static destination NAPT rules, the translation rule is applied first, then the routing.
• For static NAT, dynamic source NAT, and masquerading rules, routing is applied first, then the translation rule.

In this section Table of translation rules Creating translation rules Enabling or disabling translation rules Editing translation rules Deleting translation rules

Page top