Network Address Translation (NAT) parameters

Adding/Removing Standard NAT Fields in Change Requests

You can remove all standard NAT fields from change requests. The standard NAT fields include:

  • Source NAT
  • Destination NAT
  • NAT Type
  • Port Translation

Note: The following procedure will remove the standard NAT fields for all users except FireFlow configuration administrators. If it is necessary to remove these fields for FireFlow configuration administrators as well, contact AlgoSec Professional Services.

To add/remove standard NAT fields in change requests

  1. In the main menu, click Configuration.

    The FireFlow Configuration page is displayed.

  2. Click Roles.

    The Select a role page is displayed.

  3. For each role, do the following:

    1. In the row of the role, click .

      The Manage Permissions window for the role appears.

    2. Click next to FireFlow internal fields.

      The FireFlow internal fields are displayed.

    3. Do one of the following:

      Note: These check boxes might not appear for all user roles.

      • To add the standard NAT fields, check the See and Modify check boxes for all FireFlow fields listed in the table below.
      • To remove the standard NAT fields, clear the See and Modify check boxes for all FireFlow fields listed in the table below.
    4. Click Save.

NAT-related FireFlow Fields

FireFlow Field

Description

Change Destination NAT

Displays the destination NAT value to which the connection's destination should be translated, as planned during the Plan stage.

Change NAT Type

Displays the type of NAT (Static or Dynamic), as planned during the Plan stage.

Change Port Translation

Displays the port value to which the connection's port should be translated, as planned during the Plan stage.

Change Source NAT

Displays the source NAT value to which the connection's source should be translated, as planned during the Plan stage.

Requested Destination NAT

Displays the destination NAT value to which the connection's destination should be translated, as specified in the original request.

Requested NAT Type

Displays the type of NAT (Static or Dynamic), as specified in the original request.

Requested Port Translation

Displays the port value to which the connection's port should be translated, as specified in the original request.

Requested Source NAT

Displays the source NAT value to which the connection's source should be translated, as specified in the original request.

Back to top

Adding/Removing Optional NAT Fields in Change Requests

You can configure FireFlow to display separate fields for source NAT, destination NAT, and port translation before and after translation. In this case, the existing Source NAT, Destination NAT, and Port Translation fields will display the values before translation, and the following new fields will display the values after translation:

  • Source after NAT
  • Destination after NAT
  • Port after Translation

The new NAT fields will appear below the standard NAT fields throughout the FireFlow Web interface, for example in work orders or when editing a change request.

  1. On the original site, open a terminal and log in using the username "root" and the related password.

  2. Enter the following command:

    /usr/share/fireflow/local/sbin/additional_NAT_fields.pl -e

    The optional NAT fields are added to the FireFlow Web interface.

  1. On the original site, open a terminal and log in using the username "root" and the related password.

  2. Enter the following command:

    /usr/share/fireflow/local/sbin/additional_NAT_fields.pl -d

    The optional NAT fields are removed from the FireFlow Web interface.

Back to top

Configuring NAT Enhancements in Traffic Change Requests

By default, FireFlow provides the following NAT features:

  • A traffic change request which includes NAT fields will stay open, even if the requested traffic is already allowed.
  • The initial planning analysis uses NAT addresses.
  • During initial planning, you can specify a NAT location in the NAT settings window.
  • Risk checks use NAT information.
  • Only relevant addresses appear on sub-requests.

If desired, you can disable the above features. You can disable all of the features, or only disable using NAT information in risk checks.

Configuration Parameter Name Value
handleNATChanges

0. To disable NAT enhancements in traffic change requests.

1. To enable NAT enhancements in traffic change requests. (Default)

If you enabled NAT enhancements in traffic change requests, configure whether FireFlow should use NAT information in risk checks.

Note: When this feature is enabled, the Source NAT and Destination NAT fields will be used in risk checks. However, if the optional Source after NAT field is enabled, it will be used instead of the Source NAT field. Likewise, if the optional Destination after NAT field is enabled, it will be used instead of the Destination NAT field. For information on these optional fields, see Adding/Removing Optional NAT Fields in Change Requests (see Adding/Removing Optional NAT Fields in Change Requests).

Configuration Parameter Name Value
sendNATinformationInRiskCheck

0. To disable using NAT information in risk checks.

1. To enable using NAT information in risk checks. (Default)

Back to top