On This Page
Adding or Removing Generic NAT Information
Overview
Tufin Orchestration Suite (TOS) can retrieve network topology and firewall policy information from devices that are monitored by TOS. NAT rules present a special challenge to this process because a firewall policy must be defined to allow or deny access to traffic based on the correct side of the NAT rule. A firewall rule that uses the incorrect address will not impact the traffic flow as intended.
TOS automatically processes NAT rules for many devices, and it uses that information to correctly analyze the impact of the firewall rules on traffic that is changed using NAT. The information is used in policy analysis and path calculations in TOS and SecureChange, and in connection status and connection analysis on SecureApp.
For devices for which native NAT is not supported, you can compile a file that includes the NAT rules for other vendors, and enter that information directly into TOS using a simple CLI command. This applies to devices monitored by TOS or policies added to TOS as offline devices.
Generic NAT cannot be used for devices/generic device for which native NAT is supported.
For a list of devices which support the ability to calculate the impact of NAT rules, see SecureTrack Features by Vendor.
After you add the NAT rules from your device to TOS, you see the impact of the NAT rules in these TOS features:
- TOS - Policy Analysis
- All Tufin features that use path calculation:
Automatic Target Suggestion
Designer
Verifier
Connection Status and Connection Analysis
Path Finder in the Map
Path calculation using API
Generic NAT information is not shown in other areas of TOS, including policy comparison and Policy Browser.
About the Generic NAT File
The generic NAT file must contain a CSV file of NAT rules. When you import the CSV file, you specify the device in TOS to which the NAT rules are associated.
This list identifies the fields, in order, in a NAT rule:
-
Interface before NAT
-
Interface after NAT
-
Source before NAT
-
Source after NAT
-
Destination before NAT
-
Destination after NAT
-
Service before NAT
-
Service after NAT
-
Type of NAT (Dynamic or Static)
Examples of NAT Rules
any,any,150.10.80.1,60.60.60.1,any,any,any,http,static
any,any,{150.10.90.0/24;150.10.91.0/24;150.10.92.0/24},60.60.70.1-60.60.70.10,any,any,any,any,dynamic
any,any,150.10.90.0/24,60.60.70.1-60.60.70.10,any,any,80(tcp),8080(tcp),dynamic
Formats for IP Addresses
|
IP Address Format |
Description |
|---|---|
x.x.x.x
|
An IP address, assumed to be a single host |
x.x.x.x/y
|
An IP subnet with CIDR subnet mask |
x.x.x.x-y.y.y.y
|
A range of IP addresses delimited with a dash (-) |
{x.x.x.x;y.y.y.y}
|
A combination of IP addresses or subnets in curly brackets ({ }) and delimited with a semi-colon (;) |
Formats for Services
|
Service Format |
Description |
|---|---|
x(protocol)
|
A port |
y-z(protocol)
|
A range of ports delimited with a dash (-) |
{x(protocol);y-z(protocol)}
|
A combination of ports or port ranges in curly brackets ({ }) and delimited with a semi-colon (;) |
- Any line that begins with a double-slash (//) is ignored. You can use "any" as an entry (not case-sensitive) for any field except for the type of NAT.
Use APIs to Create, Get, and Delete Generic NAT
Was this helpful?
Thank you!
We’d love your feedback
We really appreciate your feedback
Send this page to a colleague