Firewall FAQ

1. Should I use pre-NAT or post-NAT addresses/ports in Firewall rules?

Firewall rules always match on the address which has more information. In other words, if the entire internal network is being NAT'd from 192.168.*.* to, Firewall will match on the 192.168.*.* for traffic to and from this network. At the session layer this works out to be pre-NAT on source address, post-NAT on destination address, pre-NAT on source port, and post-NAT on destination port. An easy way to remember this is that it always matches where it gets the most information.


2. How do I lock down my network but for a few exceptions via the Firewall application?

Simply add a rule with no conditions, set it to Block, and put it at the bottom of the list. This will match all traffic, so anything not explicitly passed in a rule above it will be blocked.


3. Why aren't my Firewall rules being triggered?

Firewall rules work from top to bottom; the first rule that the traffic matches will fire. If you have a broad rule near the top of your list that is matching, no other rules will be evaluated.





Was this article helpful?
0 out of 2 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.

Powered by Zendesk