WatchGuard Support Center

Knowledge Base - Article

000012467
 Inbound NAT policies that include SD-WAN actions or policy-based routing

Information
My Firebox configuration includes a policy with a static NAT (SNAT) action or 1-to-1 NAT to an internal interface. The policy also includes policy-based routing or an SD-WAN action to an external interface. What is the behavior of this policy before and after I upgrade to Fireware v12.4? 
 

Policy-based routing and SD-WAN actions apply to new connections that initiate traffic. Policy-based routing and SD-WAN actions do not apply to reply traffic. You cannot use policy-based routing or SD-WAN actions to force reply traffic out of a specific interface.

Fireware v12.2.1 or Lower

If a policy has a static NAT (SNAT) or 1-to-1 NAT destination and policy-based routing to an external interface, and the NAT destination is an internal interface, the Firebox ignores the unnecessary policy-based routing selection to prevent inbound traffic failure on your network. 

If the NAT destination is an external interface, the Firebox applies the policy-based routing selection.

Fireware v12.3.x

If a policy has a static NAT (SNAT) or 1-to-1 NAT destination and an SD-WAN action that includes an external interface, and the NAT destination is an internal interface, the Firebox ignores the unnecessary SD-WAN action to prevent inbound traffic failure on your network. 

If the NAT destination is an external interface, the Firebox applies the SD-WAN action.

Fireware v12.4 or Higher

SD-WAN enhancements introduced in Fireware v12.4 require the Firebox to no longer ignore policy-based routing or an SD-WAN action in a policy with SNAT or 1-to-1 NAT. Because of this, when you upgrade to Fireware v12.4 or higher:

  • Policies with a SNAT action to an RFC1918 address — The Firebox automatically removes policy-based routing and SD-WAN actions to external interfaces, unless the action specifies only a BOVPN virtual interface. RFC1918 includes the networks 192.168.0.0/16, 172.16.0.0/12,and 10.0.0.0/8.
  • Policies with 1-to-1 NAT to an internal address — The Firebox does not automatically remove policy-based routing and SD-WAN actions to external interfaces. We recommend that you manually remove any policy-based routing or SD-WAN action that is unnecessary.

If the NAT destination is an external interface, the Firebox applies the SD-WAN action.

NOTE: In Fireware v12.3 or higher, SD-WAN replaces policy-based routing. For more information about the conversion from policy-based routing to SD-WAN, see in About SD-WAN Fireware Help.

Before You Upgrade to Fireware v12.4 or Higher

Before you upgrade to Fireware v12.4 or higher, if you have an affected policy, we recommend that you plan to:

These types of policies are affected:
  • A policy that has a SNAT action to an internal network in the To field, and includes policy-based routing or SD-WAN action to an external interface (unless the action specifies only a BOVPN virtual interface).
  • A policy that has a 1-to-1 NAT address in the To field for an internal destination, and includes policy-based routing or and SD-WAN action to an external interface (unless the action specifies only a BOVPN virtual interface).
If you have a policy with a SNAT action to an RFC1918 address and the Any-External alias in the To field, and the policy includes an SD-WAN action, the Firebox automatically removes the SD-WAN action when you upgrade. Before you upgrade to Fireware v12.4 or higher, we recommend that you replace this policy with two policies:
  • A SNAT policy for inbound traffic
  • An SD-WAN action for outbound traffic

After You Upgrade to Fireware v12.4 or Higher

After you upgrade to Fireware v12.4 or higher, the Firebox automatically removes policy-based routing and SD-WAN actions to external interfaces from policies with SNAT to RFC1918 addresses, unless the policy-based routing or SD-WAN action specifies only a BOVPN virtual interface.

In some cases, the Firebox does not remove policy-based routing and SD-WAN actions from inbound NAT policies after you upgrade. For example, the Firebox does not remove policy-based routing and SD-WAN actions for these policy configurations:

  • Policies with a 1-to-1 NAT destination to an internal address and an SD-WAN action that includes an external interface.  
  • Policies with SNAT to an internal address and an SD-WAN action, if the internal address is not part of the 192.168.0.0/16, 172.16.0.0/12, or 10.0.0.0/8 network.

If you configure a SNAT or 1-to-1 NAT policy that includes an SD-WAN action with an internal interface, the SD-WAN action routes traffic as expected only if the SD-WAN interface is on the same network as the private address specified by SNAT or 1-to-1 NAT. 

See Also

About SD-WAN in Fireware Help
Configure SD-WAN in Fireware Help