In the main menu of the Open Single Management Platform Console, go to the Application & Services → NGFW section.
This opens the Policy tab.
Go to the NAT rules section.
This opens the table of translation rules.
In the upper part of the workspace, click the Create button.
This opens the translation rule creation window.
A unique number (UUID) is automatically assigned to the rule.
Go to the General section and follow these steps:
If you want to apply the rule immediately after adding it, enable the Status toggle switch. If you do not want to apply the rule, disable this toggle switch. This toggle switch is disabled by default.
The name of the rule must be unique among all rules. The maximum length is 128 characters.
If necessary, in the Description field, enter an arbitrary description of the rule.
Maximum length: 1024 characters.
In the Type field, select Masquerading.
If you want to change the priority of the created rule, in the Priority field, specify the position of the rule in the table.
By default, the rule is saved with the biggest priority value (at the end of the table). Rules with a smaller priority number are applied earlier.
Go to the Original packets → Source section and select one of the following options:
Any (default) applies this rule to traffic with any source parameters.
Custom applies this rule only to traffic with the selected source IP addresses or security zones.
If you select Custom, specify the original source parameters to which the rule must apply:
Select the Addresses tab and in the Used in rule column, set the toggle switch to On for one or more IP addresses, IP address ranges, or subnets that you want to add to the rule. If you want to add multiple objects at the same time, select check boxes next to the objects and click Use in rule.
If you want to apply the rule to incoming traffic at IP addresses of the interfaces included in a security zone, select the Security zones tab, and in the Used in rule column, set the toggle switch to On fro the security zone that you want to add to the rule. You can add only one security zone to a rule.
Go to the Original packets → Destination section and select one of the following options:
Any (default) applies this rule to traffic with any destination parameters.
Custom applies this rule only to traffic with the selected source IP addresses or security zone.
If you select Custom, specify the original destination parameters that the rule must match to be applied to traffic:
Select the Addresses tab and in the Used in rule column, set the toggle switch to On for one or more IP addresses that you want to add to the rule. If you want to add multiple IP addresses at the same time, select check boxes next to the IP addresses and click Use in rule. IP address ranges and subnets are not supported.
If you want to apply the rule to incoming traffic at IP addresses of the interfaces included in a security zone, select the Security zones tab, and in the Used in rule column, set the toggle switch to On fro the security zone that you want to add to the rule. You can add only one security zone to a rule.
If necessary, in the Original packets → Services section, specify services (combinations of port and protocol) to whose traffic you want the rule to be applied.
You can add only TCP, UDP, or ICMP services to a masquerading rule.
When you select a service with the ICMP protocol, masquerading rules are applied only to the outgoing Echo Request packets and the incoming response packets.
Go to the Translated packets → Source section and select one of the following options:
Any (default) translates to the primary IP address of the outbound interface and an unoccupied port. If the outbound interface is configured to support multiple IP addresses and it has secondary IP addresses, translate to a random secondary IP address.
Custom translates to the IP addresses and ports specified in the rule.
If you have selected Custom, select the Addresses tab and in the Used in rule column, set the toggle switch to On for IP addresses to which you want to translate. You must add at least one IP address belonging to a Kaspersky NGFW interfaces. IP address ranges and subnets are not supported.
When the rule is triggered, translation is performed to a random IP address from among the IP addresses added to the rule and belonging to a Kaspersky NGFW interface. If you add IP addresses that do not belong to a Kaspersky NGFW interface, the rule will not work.
You can add ports to a masquerading rule on the command line using the nat family of commands. However, we do not recommend adding ports to a masquerading rule because using ports may result in all ports on the device being occupied.
Save the rule by clicking Create.
The new rule is added to the list.
Apply the OSMP policy changes by clicking the Commit and push button.