2.1.28.9. NAT configuration example for using common functions through Managed FW

2.1.28.9.1. Preconditions

In the configuration example shown, connections are made from a server segment under firewall to a common-function pool through a common-function gateway.
The case here assumes access to an NTP server.

2.1.28.9.2. Configuration diagram

The configuration was made so that a server can access an NTP server of the common-function pool through Managed FW.
As the gateway of the server, VRRP was set with Managed FW, resulting in a redundant configuration.
The configuration was made so that communications from a server to an NTP server is subject to SNAT by means of Managed FW.
common-functiongw-structure

Note

  • If VRRP is used at the other device in pair of Managed Firewall and Managed UTM, each device needs different VRRP ID independently. When both devices use the same VRRP ID, they cannot communicate normally.

  • Following VRRP ID cannot be used as VRRP ID of Managed Firewall/UTM and the devices connected to Managed Firewall/UTM.
    ID 11(Virtual MAC address00:00:5e:00:01:0b)
    ID 51 (Virtual MAC address 00:00:5e:00:01:33)
    ID 52 (Virtual MAC address 00:00:5e:00:01:34)
  • As the OS of the server, "CentOS 7.1.1503" is in use.

  • As an NTP client, chrony-1.29.1 is in use.

In this configuration, settings are made in the procedure below.
Step (1) Setting SNAT
Step (2) Setting Firewall Policy
Step (3) Setting interface

2.1.28.9.3. Step (4) Setting Source NAT

For setting of Destination NAT, access the following.
After logging into the control panel screen, click Security, and then click Operation under Managed Firewall.
common-functiongw-securitymenu

Right-click any device in terms of device management, and then click [ Device Management ].
common-functiongw-device-management

Click Source NAT on the object screen at the left of the display.
Object -> NAT Object -> Source NAT
Click [ Add ] on the Source NAT screen at the right of the display.
common-functiongw-device-management-snat

Click [ Save ] after you input the setting value.
common-functiongw-device-management-snat-save

2.1.28.9.4. Step (2) Setting a firewall policy

For firewall policy settings, access the following.
After logging into the control panel screen, click Security, and then click Operation under Managed Firewall.
common-functiongw-securitymenu

Right-click any device in terms of device management, and then click [ Device Management ].
common-functiongw-device-management

Click Firewall Policy on the object screen at the left of the display.
Object -> Firewall Policy -> Firewall Policy
Click [ Add ] on the Firewall Policy screen at the right of the display.
common-functiongw-device-management-policy

Input a firewall policy for the section from the server segment (Port9) to the CFG segment (Port10).
Click [ Save ] after you input the setting value.
common-functiongw-device-management-policy-save

2.1.28.9.5. Step (3) Setting interface

The interface of M-FW can be set.
After logging into the control panel screen,
click Security, and then click Operation under Managed Firewall.
common-functiongw-securitymenu

Click [ Cluster Port Management ].
common-functiongw-cluster-port-management

To enable the user network information to be referred to, click and select the device to be set, and then click [ Get Network Info ].
Port Management

[ Task Status ] is displayed. When completed normally, the task status of "Get Network Info" turns green. Click [x] to close the window.
Task Status

Select the target HA pair for setting by clicking, and click [ Manage Interfaces ].
The user can click any port number as they open the same screen.
デバイス選択

The [ Manage Interface ] screen will be opened. In the screen, Port 2 and 3 are not shown.
Select the target port for setting, then click "Edit".
The user can click any port number as they open the same screen.
common-functiongw-manage-interfaces-edit

By marking the check box for the [ Enable Port ], the user can input the setting value.
A value to be input for the external segment (Port9) is as follows.
Click [ Save ]. The saved data is not applied to the device with only this action.
common-functiongw-manage-interfaces-port9

A value to be input for the FW segment (Port10) is as follows.
Click [ Save ]. The saved data is not applied to the device with only this action.
common-functiongw-manage-interfaces-port10

Once you have prepared a port being utilized, click [ NOW RUN ] at the Manage Interface screen.
ポート設定適用

[ Task Status ] is displayed.
ポート設定適用3

Following describes respective task statuses.

Task Colors

 

Task Statuses

Gray

"Gray"

Unexcuted Task

Blue

"Blue"

Processing Task

Green

"Green"

Task normally completed

Red

"Red"

Task with Unknown-Issue.


When completed normally, all statuses turn green. Click [x] to close the window.
ポート設定適用4

2.1.28.9.6. Checking normality

Synchronization from the server to the NTP server is checked.
common-functiongw-confirm

Now descriptions for this use case are over.