I disagree with the explanation given here:
Cisco (probably the largest industry standard) defines the destination network as the Private IP in firewall rules (not the Public interface IP) after DNAT. One would set the NAT (bi-directional) from the Private IP to Public IP for all services and control access to services, logging, app control, etc. by internal zone and private network IP.
With XG every DNAT firewall rule would same source and destination entry but you still need still need a separate rule for each service to control IPS and QoS and you have no idea what the private destination is without looking at the NAT table because they all point to the same Public IP interface.
Please reconsider your implementation and allow the Private IP as the destination in firewall rules for DNAT.
This thread was automatically locked due to age.