We will add a policy applying “NAT (Network Address Translation)” for different services. Let's consider the example:

Windows server masking for the WSUS service. In order to allow automatic UPDATE without requiring authentication.


 Link to MS documentation - How to set up a network connection for MS WSUS

https://technet.microsoft.com/en-us/library/cc708602(v=ws.10).aspx

For specific cases, first define and configure the objects that will be used in the policy.


Below is a summary of what will be configured in the rule:


  • [Properties]: NAT: MS-WSUS Servers, Action: Allow; TAG = NAT;
  • [Conditions]: Zone = WAN;
  • [Inspection]: Intrusion Prevention;
  • [Routing]: Enable [Nat]; SD-WAN= Performance BB; Traffic Shaping= Very high.    

To add a security policy, in the action menu [], click on the “Create Policy” option;


IPv4 - Actions Menu - Create Policy


Configure each tab according to the settings shown below.

 

Properties


In the [Properties] tab, in Name, name it as: “NAT: MS-WSUS Servers”;

In Tags include “NAT”;

In Policy Group select “Masking (NAT)”;

You will have arrived at the result illustrated by the image below:


Add Policy – Ex. 4 – Properties


Select the next tab, [Conditions].


Conditions


In the [Conditions] tab, in Network Zone select "WAN";

IP Address select: “Server Windows AD / LDAP” (If it is necessary to add a new one, check this page);

In Service select “Services UPDATE MS WSUS” (If it is necessary to add a new one, check this page);

You will have arrived at the result illustrated by the image below:


Create Policy – Ex. 4 – Conditions


Select the next tab, [Inspection].


Inspection


In the [Inspection] tab, enable the check box for Intrusion Prevention [] and select a profile to perform Deep Inspection (For more information, check the Services - Intrusion Prevention);

You will have arrived at the result illustrated by the image below:


Create Policy – Ex. 4 – Inspection


Select the next tab, [Routing].


Routing


On the [Routing] tab, check the NAT[] checkbox;

Check the SD-WAN[] checkbox and select the “Performance BB” option;

In Traffic Shaping select the option “Very High”;

You will have arrived at the result illustrated by the image below:


Create Policy – Ex. 4 – Routing


After configuring each tab according to the definition of the applied policy, click on [].


Policy Saved Successfully


The screen shown in the following image will be displayed:


Create Policy – Ex. 4 – NAT: MS-WSUS Servers.


After saving, for the policy to take effect it will be necessary to access the command queue [] and apply the changes made. For more information on the command queue access the page: UTM - Command queue.


After performing these procedures, the policy will have been successfully configured.


Observe the need to order / reorder policies.

In this case, we will not need to reorder.

The policies are well defined, the NAT rule of the Windows AD / LDAP server is very specific considering “Origin / Destination”, including the service ports.

The access policies and WEB filters with inspection and ordered in a way that apply the blocks first, then the permission.

In this way "not in conflict" with other policies, meeting the specifications of the presented policy model and the considerations and "Important Tips" mentioned in the previous chapter.

Ex.: Objeto endereço “Servidores Wsus” ver lista de endereços na documentação em nota;

Service object “Service UPDATE MS WSUS”. See list of ports in the documentation in note.

In example 4 we defined a redirection policy to update without requiring authentication.


  • No labels