vRealize Network Insight supports Static NAT (SNAT), Dynamic NAT (DNAT), reflexive rules in the flows, and the VM-VM Path for NSX-V, NSX-T Edges, Fortinet, and Check Point.
The NAT flow support in
vRealize Network Insight is as follows:
- vRealize Network Insight supports the nested NAT hierarchy for NSX for vSphere and NSX-T, and for physical devices, vRealize Network Insight supports the single hierarchy (DNAT) for Fortinet only.
- vRealize Network Insight supports the edges and the tier routers with NAT-defined uplinks.
Note: The NAT rules on the NSX Edge version 5.5 or the previous versions are not supported.
- vRealize Network Insight supports SNAT rules with range. However, DNAT must be one-to-one mapping between the destination and translated IP addresses (Parity with NSX for vSphere).
- For Check Point, NAT rules both auto or manually generated are supported for both the source and the destination as network, network-group, or address-range.
Queries
To view NAT rules, use the following queries:
- To view all the NAT rules in NSX-T, use the
NSX-T Edge NAT Rule
query. - To view all the NAT rules NSX-V, use the Edge NAT Rules query.
- To view all the NAT rules in Fortinet, use the Fortinet NAT Rule query.
- To view all the NAT rules in Check Point, use the Check Point NAT Rule query.
- To view all the NAT rules, use the NAT Rule query.
Consideration
- vRealize Network Insight does not support the following use cases:
- In NSX-T, NAT rules can be applied at the service level. For example, in NSX-T, L4 ports set is a type of service and the associated protocols can be TCP or UDP. So in the VM-VM path, the service level details are not supported.
- Any port level translation is not supported.
- The SNAT match destination address and the DNAT match source address are not supported. Use the SNAT match destination address as the destination IP address when you specify the SNAT rule. Use the DNAT match source address as the source IP address when you specify the DNAT rule. For example, if there is a destination IP address mentioned in the SNAT rule, vRealize Network Insight applies the SNAT rule irrespective of whether the packet has the destination address as the destination IP address.
- NSX-T Edge firewall has implications for the data path when enabled with the NAT service on the same logical router. If a flow matches both NAT and Edge firewall, the NAT lookup result takes precedence over firewall. So the firewall is not applied to that flow. If the flow matches only a firewall rule, then the firewall lookup result is honored for that flow.
- Service translation is not supported.
- vSEC NAT is not supported.