Home >Documents >Security Tutorial v3.0.0 > 2. Operation > 2.2. Managed Firewall / Managed UTM Version2 > 2.2.30. NAT use case >2.2.30.9. NAT configuration example for using common functions through Managed FW

2.2.30.9. NAT configuration example for using common functions through Managed FW

2.2.30.9.1. Preconditions

In the configuration example shown, connections are made from a server segment under firewall to a common-function pool through a common-function gateway.
The case here assumes access to an NTP server.

2.2.30.9.2. Configuration diagram

The configuration was made so that a server can access an NTP server of the common-function pool through Managed FW.
As the gateway of the server, VRRP was set with Managed FW, resulting in a redundant configuration.
The configuration was made so that communications from a server to an NTP server is subject to SNAT by means of Managed FW.
common-functiongw-structure

Note

  • If VRRP is used at the other device in pair of Managed Firewall and Managed UTM, each device needs different VRRP ID independently. When both devices use the same VRRP ID, they cannot communicate normally.

  • Following VRRP ID cannot be used as VRRP ID of Managed Firewall/UTM and the devices connected to Managed Firewall/UTM.
    ID 11(Virtual MAC address00:00:5e:00:01:0b)
    ID 51 (Virtual MAC address 00:00:5e:00:01:33)
    ID 52 (Virtual MAC address 00:00:5e:00:01:34)

  • As the OS of the server, "CentOS 7.1.1503" is in use.

  • As an NTP client, chrony-1.29.1 is in use.

In this configuration, settings are made in the procedure below.
Step (1) Setting SNAT
Step (2) Setting Firewall Policy
Step (3) Setting interface

2.2.30.9.3. Step (4) Setting Source NAT

See: doc:Destination NAT Settings <../../operation/managed_firewall_utm_v2/4330_destination_nat> for Destination NAT settings.
After logging in to the control panel screen, click [Security] and then click Operation of Managed Firewall (Version 2).
common-functiongw-securitymenu

Right-click on any device from Device Management and click [Config].
common-functiongw-device-management

Click Source NAT on the object screen at the left of the display.
Object -> NAT Object -> Source NAT
Click [ Add ] on the Source NAT screen at the right of the display.
common-functiongw-device-management-snat

Click [ Save ] after you input the setting value.
common-functiongw-device-management-snat-save

2.2.30.9.4. Step (2) Setting a firewall policy

For firewall policy settings, see Firewall policy settings  .
After logging in to the control panel screen, click [Security] and then click Operation of Managed Firewall (Version 2).
common-functiongw-securitymenu

Right-click on any device from Device Management and click [Config].
common-functiongw-device-management

Click Firewall Policy on the object screen at the left of the display.
Object -> Firewall Policy -> Firewall Policy
Click [ Add ] on the Firewall Policy screen at the right of the display.
common-functiongw-device-management-policy

Input a firewall policy for the section from the server segment (Port9) to the CFG segment (Port10).
Click [ Save ] after you input the setting value.
common-functiongw-device-management-policy-save

2.2.30.9.5. Step (3) Setting interface

For M-FW interface settings, see HA configuration interface settings .
After logging into the control panel screen,
Click Security, then click Operation of Managed Firewall (Version 2).
common-functiongw-securitymenu

Click [Cluster Port Management] from [Workflow] show in [Services].
common-functiongw-cluster-port-management

To enable the user network information to be referred to, click and select the device to be set, and then click [ Get Network Info ].
Port Management

The Task Status is displayed. When the Get Network Info task turns green, it is successful. Click [Close] to close it.
Task Status

Select the target HA pair for setting by clicking, and click [ Manage Interfaces ].
デバイス選択

The [ Manage Interface ] screen will be opened. In the screen, Port 2 and 3 are not shown.
Select the target port for setting, then click "Edit".
The user can click any port number as they open the same screen.
common-functiongw-manage-interfaces-edit

By marking the check box for the [ Enable Port ], the user can input the setting value.
A value to be input for the external segment (Port9) is as follows.
Click [ Save ]. The saved data is not applied to the device with only this action.
common-functiongw-manage-interfaces-port9

A value to be input for the FW segment (Port10) is as follows.
Click [ Save ]. The saved data is not applied to the device with only this action.
common-functiongw-manage-interfaces-port10

Once you have prepared a port being utilized, click [ NOW RUN ] at the Manage Interface screen.
ポート設定適用

[ Task Status ] is displayed.
ポート設定適用3

Following describes respective task statuses.

Task Colors

  

Task Statuses
Blue

"Blue"

Processing Task
Green

"Green"

Task normally completed
Red

"Red"

Task with Unknown-Issue.

When completed normally, all statuses turn green. Click [x] to close the window.
ポート設定適用4

2.2.30.9.6. Checking normality

Synchronization from the server to the NTP server is checked.
common-functiongw-confirm

Now descriptions for this use case are over.
2.2.30.8. Destination NAT + NAPT (HA configuration)
2.2.31. IPsec VPN configuration example