Generic NAT Information

Overview

Tufin Orchestration Suite (TOS) can retrieve network topology and firewall policy information from devices that are monitored by TOS. NAT rules present a special challenge to this process because a firewall policy must be defined to allow or deny access to traffic based on the correct side of the NAT rule. A firewall rule that uses the incorrect address will not impact the traffic flow as intended.

TOS automatically processes NAT rules for many devices, and it uses that information to correctly analyze the impact of the firewall rules on traffic that is changed using NAT. The information is used in policy analysis and path calculations in TOS and SecureChange, and in connection status and connection analysis on SecureApp.

For devices for which native NAT is not supported, you can compile a file that includes the NAT rules for other vendors, and enter that information directly into TOS using a simple CLI command. This applies to devices monitored by TOS or policies added to TOS as offline devices.

Generic NAT is supported only for devices that are modeled in TOS as Generic Devices. It is not supported for vendor-specific devices that use native NAT.

Generic NAT supports IPv4 and IPv6 addresses. For a list of devices which support the ability to calculate the impact of NAT rules, see SecureTrack Features by Vendor.

After you add the NAT rules from your device to TOS, you see the impact of the NAT rules in these TOS features:

  • TOS - Policy Analysis
  • All Tufin features that use path calculation:

    • Automatic Target Suggestion

    • Designer

    • Verifier

    • Connection Status and Connection Analysis

    • Path Finder in the Map

    • Path calculation using API

Generic NAT information is not shown in other areas of TOS, including policy comparison and Policy Browser.

Generic NAT file

The generic NAT file is a CSV file containing NAT rules. When you import the CSV file, you specify the device in TOS with which the NAT rules are associated.

This list identifies the fields, in the order listed, in a NAT rule:

  • Interface before NAT

  • Interface after NAT

  • Source before NAT

  • Source after NAT

  • Destination before NAT

  • Destination after NAT

  • Service before NAT

  • Service after NAT

  • Type of NAT (Dynamic or Static)

Examples of NAT rules

IPv4 examples

any,any,150.10.80.1,60.60.60.1,any,any,any,http,static

any,any,{150.10.90.0/24;150.10.91.0/24;150.10.92.0/24},60.60.70.1-60.60.70.10,any,any,any,any,dynamic

any,any,150.10.90.0/24,60.60.70.1-60.60.70.10,any,any,80(tcp),8080(tcp),dynamic

Examples of addresses including IPv4 and IPv6 (NAT46 and NAT64)

any,any,22.10.10.0/29,2001:db8:1::/125,24.10.10.0/29,2001:db8:1::/125,any,any,dynamic

any,any,2001:db8:1::/125,24.10.10.0/29,2005:db8:1::/125,22.10.10.0/29,any,any,dynamic

Examples of addresses including IPv6 to IPv6

any,any,2001:db8:1::/125,3001:db8:1::/125,any,any,any,any,dynamic

any,any,any,any,3001:db8:1::/125,2001:db8:1::/125,any,any,dynamic

Formats for IP addresses

Use the following IP address formats. Generic NAT supports IPv4 and IPv6 addresses (including NAT46 and NAT64 translation).

Format

Description

IPv4 Example

IPv6 Example

Single IP address

A single host IP address.

192.0.2.10

2001:db8:1::10

CIDR subnet

An IP subnet with a CIDR subnet mask

192.0.2.0/29

2001:db8:1::/125

IP address range

A range of IP addresses delimited with a dash (-)

192.0.2.10-192.0.2.20

2001:db8:1::10-2001:db8:1::20

Combination

A combination of IP addresses, subnets, or ranges, in curly brackets ({ }) and delimited with a semi-colon (;)

{192.0.2.0/29;198.51.100.0/29}

{2001:db8:1::/125;2001:db8:2::/125}

Formats for services

Service Format

Description

x(protocol)

A port

y-z(protocol)

A range of ports delimited with a dash (-)

{x(protocol);y-z(protocol)}

A combination of ports or port ranges in curly brackets ({ }) and delimited with a semi-colon (;)
Any line that begins with a double-slash (//) is ignored. You can use "any" as an entry (not case-sensitive) for any field except for the type of NAT.

Network topology APIs for generic NAT

The Network Topology API provides methods to programmatically add and manage generic NAT for devices.

API method

Description

POST 
/topology/generic/nat/device/{deviceId}

Create generic NAT rules overriding the existing generic NAT rules for the device specified by the device ID.

GET /topology/generic/nat/device/{deviceId}

Export the CSV file with generic NAT rules for the device specified by device ID.

DELETE /topology/generic/nat/device/{deviceId}

Delete all generic NAT rules from the device specified by the device ID.