All the edges inherit the firewall rules and edge access configurations from the associated Profile. Under the Firewall tab of the Edge Configuration dialog, you can view all the inherited firewall rules in the Rule From Profile area. Optionally, at the edge-level, you can also override the Profile Firewall rules and edge access configuration.
As an Enterprise Administrator, you can configure Port Forwarding and 1:1 NAT firewall rules individually for each edge by following the instructions on this page.
Port Forwarding and 1:1 NAT Firewall Rules
Port Forwarding and 1:1 NAT firewall rules gives Internet clients access to servers connected to an Edge LAN interface. Access can be made available through either Port Forwarding Rules or 1:1 NAT (Network Address Translation) rules.
Port Forwarding Rules
Port forwarding rules enable you to configure rules to redirect traffic from a specific WAN port to a device (LAN IP/ LAN Port) within the local subnet. Optionally, you can also restrict the inbound traffic by an IP or a subnet. Port forwarding rules can be configured with the Outside IP which is on the same subnet of the WAN IP. It can also translate outside IP addresses in different subnets than the WAN interface address if the ISP routes traffic for the subnet towards the SD-WAN Edge.
To configure a port forwarding rule, provide the following details.
- In the Name text box, enter a name (optional) for the rule.
- From the Protocol drop-down menu, select either TCP or UDP as the protocol for port forwarding.
- From the Interface drop-down menu, select the interface for the inbound traffic.
- In the Outside IP text box, enter the IP address using which the host (application) can be accessed from the outside network.
- In the WAN Ports text box, enter one WAN port or range of ports separated with a dash (-), for example 20-25.
- In the LAN IP and LAN Port text boxes, enter the IP address and port number of the LAN, where the request will be forwarded.
- From the Segment drop-down menu, select a segment the LAN IP will belong to.
- In the Remote IP/subnet text box, specify an IP address of an inbound traffic that you want to be forwarded to an internal server. If you do not specify any IP address, then it will allow any traffic.
The following figure illustrates the port forwarding configuration.
1:1 NAT Settings
These are used to map an Outside IP address supported by the SD-WAN Edge to a server connected to an Edge LAN interface (for example, a web server or a mail server). It can also translate outside IP addresses in different subnets than the WAN interface address if the ISP routes traffic for the subnet towards the SD-WAN Edge. Each mapping is between one IP address outside the firewall for a specific WAN interface and one LAN IP address inside the firewall. Within each mapping, you can specify which ports will be forwarded to the inside IP address. The '+' icon on the right can be used to add additional 1:1 NAT settings.
To configure a 1:1 NAT rule, provide the following details.
- In the Name text box, enter a name for the rule.
- In the Outside IP text box, enter the IP address with which the host can be accessed from an outside network.
- From the Interface drop-down menu, select the WAN interface where the Outside IP address will be bound.
- In the Inside (LAN) IP text box, enter the actual IP (LAN) address of the host.
- From the Segment drop-down menu, select a segment the LAN IP will belong to.
- Select the Outbound Traffic checkbox, if you want to allow the Outbound traffic that comes to the edge from Internet to the LAN Client to pass over the firewall connection.
- Enter the Allowed Traffic Source (Protocol, Ports, Remote IP/Subnet) details for the mapping in the respective fields.
The following figure illustrates the 1:1 NAT configuration.
Configure Edge Overrides
Optionally, at the edge level, you can override the inherited profile firewall rules. To override firewall rules at the Edge level, click New Rule under Firewall Rules, and follow the steps in Configure Firewall Rule. The override rules will appear in the Edge Overrides area. The Edge override rules will take priority over the inherited profile rules for the Edge. Any Firewall override match value that is the same as any Profile Firewall rule will override that Profile rule.
Configure Edge Access Overrides
Optionally, at the edge level, you can also override the edge access configuration. To override edge access, select the Enable Edge Override checkbox in the Edge Access area of the Edge Firewall page. For more information, see Configure Edge Access.
Related Links