- play_arrow Introduction
- play_arrow Customer Portal Overview
- About the Customer Portal User Guide
- Customer Portal Overview
- Accessing Customer Portal
- Personalize the Customer Portal
- Switching the Tenant Scope
- Setting Up Your Network with Customer Portal
- About the Customer Portal Dashboard
- Changing the Customer Portal Password
- Resetting the Password
- Changing the Password on First Login
- Set a New Password After Your Existing Password Expires
- Configuring Two-Factor Authentication
- Extending the User Login Session
- Resend Activation Link in Customer Portal
- View and Edit Tenant Settings
- play_arrow Users and Roles
- Role-Based Access Control Overview
- About the Users Page in Customer Portal
- Adding Tenant and OpCo Tenant Users
- Editing and Deleting Tenant and OpCo Tenant Users
- Resetting the Password for Tenant Users
- Roles Overview
- About the Tenant Roles Page
- Adding User-Defined Roles for Tenant Users
- Editing, Cloning, and Deleting User-Defined Roles for Tenant Users
- Access Privileges for Role Scopes (Tenant and Operating Company)
- play_arrow SD-WAN and NGFW Deployments
-
- play_arrow Managing Sites, Site Groups, and Site Templates
- play_arrow Managing Sites
- About the Site Management Page
- Multihoming Overview
- Enterprise Hubs Overview
- Understand BGP Underlay Routing and Provider Edge (PE) Resiliency
- Upgrading Sites Overview
- Add Enterprise Hubs with SD-WAN Capability
- Add Provider Hub Sites in SD-WAN Deployments
- Adding Cloud Spoke Sites for SD-WAN Deployment
- Provisioning a Cloud Spoke Site in AWS VPC
- Manually Adding Branch Sites
- Add a Branch Site with SD-WAN Capability
- Adding and Provisioning a Next Generation Firewall Overview
- Enabling Integration with Mist Access Points
- Add a Standalone Next-Generation Firewall Site
- Managing LAN Segments on a Tenant Site
- Manage a Site
- Start a Network Service
- Disable a Network Service
- Delete a Network Service
- Add IP VPN Configuration to Provider Hubs
- Edit IP VPN Configuration for Provider Hubs
- Delete IP VPN Configuration from Provider Hubs
- Viewing the Sites History
- Edit Site Overview
- Edit Branch and Enterprise Hub Site Parameters
- Reconfigure Static Tunnels
- Edit Site Examples
- Upgrading Sites
- Delete a Site—Enterprise Hub, Cloud Spoke, and Branch
- play_arrow Managing Site Groups
- play_arrow Managing Site Templates
- play_arrow Managing Mesh Tags
- play_arrow Managing Dynamic Mesh
-
- play_arrow Managing Devices and Resources
- play_arrow Managing Authentication
- play_arrow Managing Devices
- Device Redundancy Support Overview
- Activate a Device
- Activating Dual CPE Devices (Device Redundancy)
- Viewing the History of Tenant Device Activation Logs
- Zero Touch Provisioning Overview
- Workflow for Onboarding a Device Using ZTP
- Configure an SRX Series CPE to Discover an EX Series Switch or AP Connected to the CPE
- play_arrow Managing Device Images
- play_arrow Managing Resources
- Multidepartment CPE Device Support
- About the Devices Page
- Perform Return Material Authorization (RMA) for a Device
- Grant Return Material Authorization (RMA) for a Device
- Manage a Single CPE Device
- Rebooting a CPE Device
- Configuring APN Settings on CPE Devices
- Identifying Connectivity Issues by Using Ping
- Identifying Connectivity Issues by Using Traceroute
- Remotely Accessing a Device CLI
- View the Current Configuration on a Device
- Generate Device RSI for Enterprise Hub and Spoke Devices
- Configuring the Firewall Device
- About the Physical Interfaces Page
- About the Logical Interfaces Page
- Adding a Logical Interface
- Editing, Deleting, and Deploying Logical Interfaces
- Enable LLDP on a CPE Interface
- Create LAG Interface
- Create a RETH Interface
- Create a Redundancy Group
- Manage Redundancy Groups
- Adding a Security Zone
- Adding a Routing Instance
- Create Management Connectivity Between a CPE and a Switch
- Discover an EX Series Switch or APs Configured Behind a CPE
- View an EX Series Switch or an AP on Mist
- View an SRX Series CPE on Juniper Mist
- About the Static Routes Page
- Adding a Static Route
- Editing, Deleting, and Deploying Static Routes
- play_arrow Managing Device Templates
- play_arrow Managing Configuration Templates
- Configuration Templates Overview
- Configuration Templates Workflow
- About the Configuration Templates Page
- Predefined Configuration Templates
- Edit, Clone, and Delete Configuration Templates
- Deploy Configuration Templates to Devices
- Undeploy a Configuration Template from a Device
- Dissociate a Configuration Template from a Device
- Preview and Render Configuration Templates
- Import Configuration Templates
- Export a Configuration Template
- Assign Configuration Templates to Device Templates
- Add Configuration Templates
- Jinja Syntax and Examples for Configuration Templates
- View the Configuration Deployed on Devices
- play_arrow Managing Licenses
- play_arrow Managing Signature Database and Certificates
- Signature Database Overview
- About the Signature Database Page
- Manually Installing Signatures
- Automating Signature Database Installation
- Managing Signature Installation Settings (Auto Installation)
- Certificates Overview
- About the Certificates Page
- Importing a Certificate
- Installing and Uninstalling Certificates
- About the VPN Authentication Page
- Modify PKI Settings for All Sites
- Modify PKI Settings for Selected Sites
- play_arrow Managing Juniper Identity Management Service
-
- play_arrow Managing Network Services and Shared Objects
- play_arrow Configuring Network Services
- play_arrow Managing Shared Objects
- Addresses and Address Groups Overview
- About the Addresses Page
- Creating Addresses or Address Groups
- Editing, Cloning, and Deleting Addresses and Address Groups
- Services and Service Groups Overview
- About the Services Page
- Creating Services and Service Groups
- Creating Protocols
- Editing and Deleting Protocols
- Editing, Cloning, and Deleting Services and Service Groups
- Application Signatures Overview
- About the Application Signatures Page
- Understanding Custom Application Signatures
- Adding Application Signatures
- Editing, Cloning, and Deleting Application Signatures
- Adding Application Signature Groups
- Editing, Cloning, and Deleting Application Signature Groups
- About the Departments Page
- Add a Department
- Delete a Department
- About the Protocols Page
- Add a Protocol Endpoint
- Edit or Delete Protocol Endpoint
-
- play_arrow Monitoring Jobs and Audit Logs
- play_arrow Managing Jobs
- play_arrow Managing Audit Logs
-
- play_arrow Monitoring Alarms, Events, and Threats
- play_arrow Monitoring Security Alerts and Alarms
- About the Monitor Overview Page
- Alerts Overview
- About the Generated Alerts Page
- About the Alert Definitions/Notifications Page
- Managing Security Alerts Definitions
- Creating Security Alert Definitions
- Editing, Cloning, and Deleting Security Alert Definitions
- About the Alarms Page
- Enable E-mail Notifications for SD-WAN Alarms
- Rogue Device Detection
- Monitoring Support for LTE Links on Dual CPEs
- play_arrow Monitoring Security
- About the All Security Events Page
- About the Firewall Events Page
- About the Web Filtering Events Page
- About the IPsec VPNs Events Page
- About the Content Filtering Events Page
- About the Antispam Events Page
- About the Antivirus Events Page
- About the IPS Events Page
- About the Screen Events Page
- About the Traffic Logs Page
- play_arrow Monitoring SD-WAN Events
- play_arrow Monitoring Applications
- About the SLA Performance of a Single Tenant Page
- Viewing the SLA Performance of a Site
- Viewing the SLA Performance of an Application or Application Group
- Application Visibility Overview
- About the Application Visibility Page
- About the User Visibility Page
- Viewing Application or User Visibility Data for Specific Sites
- play_arrow Monitoring Threats
- Syslog Streaming
-
- play_arrow Managing Reports
- play_arrow Security Reports
- Reports Overview
- About the Security Report Definitions Page
- Scheduling, Generating, Previewing, and Sharing Security Reports
- About the Security Generated Reports Page
- Creating Log Report Definition
- Creating Bandwidth Report Definition
- Creating ANR Report Definition
- Editing, Deleting, and Cloning Log Report Definitions
- Editing, Deleting, and Cloning Bandwidth Report Definitions
- Editing, Deleting, and Cloning ANR Report Definitions
- play_arrow SD-WAN Reports
-
Creating NAT Policy Rules
NAT processing centers on the evaluation of NAT rule sets and rules. A rule set determines the overall direction of the traffic to be processed. After a rule set that matches the traffic is found, each rule in the rule set is evaluated for a match. NAT rules can match on the following packet information:
Source and destination address
Source port (for source and static NAT only)
Destination port
The first rule in the rule set that matches the traffic is used. If a packet matches a rule in a rule set during session establishment, traffic is processed according to the action specified by that rule.
To create a new NAT rule, click the NAT policy name. The Single NAT Policy page appears, providing your with options to configure NAT rules. Alternately, you can click on the rule number listed under Rules against the policy, to create a new rule. You can configure the following types of NAT rules:
Static—To add a static NAT rule, click Add Static NAT Rule or click Create on the top right corner and select Static.
Source—To add a source NAT rule, click Add Source NAT Rule or click Create on the top right corner and select Source.
Destination—To add a destination NAT rule, click Add Destination NAT Rule or click Create on the top right corner and select Destination.
Depending on the type of rule you have chosen, some fields in the rule will not be applicable. In addition to defining rules between zones and interfaces, you can define NAT rules with virtual routers defined on the device. These rules can be successfully published and updated on the device.
To create a NAT policy rule:
A NAT rule with the configuration you provided is created.
Table 1 provides guidelines on using the fields on the Single NAT Policy page.
Field | Description |
|---|---|
Source | Click the add icon (+) to select the source endpoints on which the NAT policy rule applies, from the displayed list of addresses, protocols, interfaces, routing instances, zones, or ports. The possible endpoints for source differ based on whether the NAT rule is a source, destination, or static NAT rule.
You can also select a source endpoint by using the methods described in Selecting NAT Source. |
Destination | Click the add icon (+) to select the destination endpoints on which the NAT policy rule applies, from the displayed list of addresses, interfaces, services, routing instances, zones, or ports. The possible endpoints for destination differ based on whether the NAT rule is a source, destination, or static NAT rule.
You can select a destination endpoint by using the methods described in Selecting NAT Destination. Note: When you create a destination NAT rule for traffic arriving on an interface that terminates a VPN link, the translation process may break the VPN link. This will happen if the destination address in a destination NAT rule is specified only as the WAN-facing IP address of that interface. For example, in the following NAT rule, any traffic destined to Wan.IP will get translated to the destination pool and will break functionality of the VPN link packets terminating on this interface.
Therefore, the recommendation in such cases is to use a destination
NAT rule with destination field as
|
| Translation | |
Translation Type | Specify the translation type for the incoming traffic. The translation options vary based on whether you are creating a source, static, or destination NAT rule. Chose one among the following translation types for a source NAT rule:
Chose one among the following translation types for a static NAT rule:
Chose one among the following translation types for a destination NAT rule:
|
Advanced Settings (Optional) | Click Configure to configure advance settings for a source or static NAT rule. For more information about advanced settings for the translation types Interface and Pool for a source NAT rule, see Table 2. For more information about advanced settings for the translation types Interface and Pool for a static NAT rule, see Table 3 |
| Details | |
Name | Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed and the maximum length is 255 characters. |
Description | Enter a description for the policy intent; maximum length is 1024 characters. |
End Points | Create source and destination endpoints such as addresses and services.
To edit the configured parameters of an address or service, hover over it and click on the edit icon (pencil symbol). |
Table 2 provides guidelines on using the fields on the Advanced Settings page for a source NAT rule.
Field | Description |
|---|---|
Persistent | Enable the check box to ensure that all requests from the same internal transport address are mapped to the same reflexive transport address. Note: For persistence to be applicable for the NAT policy, ensure that port overloading is turned off for the device to which the NAT policy is applicable. Use the following command to turn off port overloading for a device: [Edit mode] set security nat source interface port-overloading off |
Persistent NAT Type | Configure persistent NAT mappings.
|
Inactivity Timeout | The amount of time, in seconds, that the persistent NAT binding remains in the site’s memory when all the sessions of the binding entry have ended. When the configured timeout is reached, the binding is removed from memory. The value of the inactivity timeout can range from 60 through 7200 seconds. The default value of the inactivity timeout is 60 seconds. |
Maximum Session Number | Maximum session number—The maximum number of sessions with which a persistent NAT binding can be associated. For example, if the maximum session number of the persistent NAT rule is 65,536, then a 65,537th session cannot be established if that session uses the persistent NAT binding created from the persistent NAT rule. The range is 8 through 65,536. The default is 30 sessions. |
Address Mapping | Select an address from the available list. |
Pool Address | Displays the NAT pool address. |
Host Address Base | Displays the base address of the original source IP address range. The host address base is used for IP address shifting. |
Port Translation | Displays whether port translation is enabled or disabled for this NAT rule. |
Overflow Pool Type | Displays the source pool to be used when the current address pool is exhausted. |
Overflow Pool Name | Displays the name of the overflow pool. |
Mapped Port Type | Specify the type of port mapping:
|
Table 3 provides guidelines on using the fields on the Advanced Settings page for a static NAT rule.
Field | Description |
|---|---|
Mapped Port Type | Specify the type of port mapping:
|
Routing Instance | Select the routing instance for the static NAT rule. |
