XG18 SNAT to WAN Alias

SD-PBR is for the Interface decision. (Which Interface should i use).

(S)NAT is for the IP Level. (Which IP should i use?).

XG Firewall is a stateful firewall. You need to configure it from the perspective of the initial packets. Who is building up the connection? This is the matching criteria for your SD-PBR and NAT Rule. 

Ok so BPR is not the choice to use. All outside connections connect to 192.168.1.5 via X.X.X.195. Where/How do I specify that's the route to return traffic? Right now they see it exiting X.X.X.197

If a Client connects with .195 to 192.168.1.5, you need a DNAT Rule. This will NAT the traffic to the 1.5 and will route the reply traffic back to .195. 

Ok, that makes sense. How about traffic originating from 192.168.1.5 not in response to an external connection. They still want it using X.X.X.195.

I tried creating an SNAT rule in the picture below. Problem is, I dont want to use port 2, I want Port2:0 which is the alias X.X.X.195. Will this work the way it is? 

I tried creating an SNAT rule in the picture below. Problem is, I dont want to use port 2, I want Port2:0 which is the alias X.X.X.195. Will this work the way it is? 

NAT is applied one time to Traffic. 

So if somebody tries to reach your XG, XG will apply NAT to this connection. Its session based = A talks to B. All packets by A and B will use the same NAT / Firewall rule for the entire session.

If A is a Client in the Internet, he will try to reach .195 in the first place. 

XG will have a DNAT, to forward Traffic coming to .195 to your internal Server (B). 

All Packets coming and going by this session will use the same NAT and Firewall rule. So you do not have to apply NAT for this Session.

If the Server (B) will try to reach A, you need a SNAT Rule, to tell XG, use SNAT (.195) for traffic outbound going to A. 

About your NAT in your screenshot: This is correct, this SNAT will be used outbound, if your Server will initial a Session. Interface matching criteria are optional and consider the entire Interface (PortB in your example). 

This is called Stateful. 

https://en.wikipedia.org/wiki/Stateful_firewall

Thank you, I implemented the SNAT rule I created previously in the screen shot and it they are still being seen as X.X.X.197 on the outside when sending mail from 192.168.1.5. 

I moved the rule to the top of the NAT list and they said they now see it as the .195 address. 

Thanks. 

NAT is first match. 

So if you have a NAT Rule on Top of your other rule, it will apply.