Sophos Flow: Firewall and NAT

Question

Hello folks, 
 Every time I need to create a NAT rule I must go back to the Sophos video that explains it. The reason - I can't remember it because it is so counter intuitive. I hope you can help me figuring out a few key moments. 
 The video: 
 1) A long time ago there was a pinned post in the community, that outlined the foundation and main rules to follow when configuring Sophos Firewalls. One of them dictated to never use Interfaces, where the Network definition was expected (IP). Indeed, I've seen a lot of cases where instead of #Port 2 you created/used the IP definition for hte same WAN, and everything worked like a charm. 
 In this video, however (@12:23), the instructor is using the alias for the WAN interface in the firewall rule. She does the same thing when creating the NAT @13:38. 
 Q: So is it OK now to use interfaces under Source and Destination Networks when creating the Firewall and NAT rules? 
 2) Let's rewind back to @12:23 when the instructor creates the firewall rule for DNAT. 
 Destination zone: LAN ( "as that is the location of the actual Webserver" ). OK... 
 Destination Networks: interface Port6:0 ( "because users request traffic will arrive on XG on its WAN interface before it is NATed to Webserver" ). 
 Services: <pre NATed service> 
 So based on the instructor, the firewall rule kicks in before it is NATed to Webserver . I will pretend that I didn't notice the contradiction in the rule that the destination zone = LAN is a post-NAT criteria, but I'll ask the other confusing thing: 
 Q: I am currently troubleshooting a DNAT (it's not working). During the troubleshooting I am noticing that my DNAT rule counter keeps going up, while the associated firewall rule sits at zero in/out. How is this possible if the firewall rule kicks in before NAT, as per official video?

LuCar Toni · Accepted Answer

So let me put some things into context. NAT is not aware of Zones. So you are actually not changing the Zone in any terms with NAT. 
 Firewall will hit multiple times in fact in this terms. So the life of a packet is actually some sort of "wrong" as it has multiple steps within this step "Firewall rule processing". There is a lot going on in this step. It is not wrong in terms of processing, instead it is not completely lay out, what this firewall rule processing is doing. So the "lookup of zones" is actually aware of NAT. So it actually checks for the NAT rule table. But it does not change anything (as NAT is not done here). 
 The DNAT Implementation will actually do something with the traffic. 
 Think about life of a packet as: This is what is the firewall is doing with a packet. So Changing the Zone is nothing, the packet is aware of. The packet does not know, which zone it belongs. It only knows the meta data (destination Ip, source ip, payload etc.). Zone is not something, the header is aware of. So the firewall processing unit is already changing the zone. Because otherwise we cannot do it anymore. DNAT cannot change the Zone, as DNAT implementation is not aware of zones. 
 BTW: Even if firewall is dropping the traffic, the other decisions will still be handled. So to speak, if firewall denies, the firewall still goes trough the other ingress steps. After the Routing decision is met, the firewall will drop the traffic. So the firewall module is not dropping the traffic, it flags the traffic to be dropped.

LuCar Toni · Answer

Essentially you have to understand: There are three different actions of traffic: Routing, Firewalling(Allow/Deny) and NATing (changing the traffic). 
 See: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/122357/life-of-a-packet-sophos-firewall 
 
 One of the confusions starts, when NAT kicks in, changing the Destination but not the Zone. 
 I have a rule of thumb for this, which worked great for me: Change the Destination Zone, not the Destination IP in the Firewall rule. 
 Means: FW Rule IP #Port1 and Zone LAN. This will work. 
 
 If your firewall is not hitting, it is not matching. Simple as that. So NAT will hit without firewall has to hit. See above. It works independly. So the NAT will do its stuff, and if the firewall denies the traffic (not matching-Default drop) or another rule hits, your rule will not match. 
 Check the packet capture on the Webadmin of your firewall to see NAT and FW rule for the traffic. Use the configure - BPF String to dump specifically for your traffic.

Sophos Flow: Firewall and NAT

Top Replies