I have been working on a customer configuring an HA pair of S3008 appliances running v8.3.0P01 in order to replace a pair of old 510 appliances running 7.0.1.02.
Some of the underlying configuration (interface settings & network objects in particular) was exported and imported without too much problem. The time consuming aspect was always going to be the custom-defined services/applications and the rules because there were lots of each - approximately 250 rules. Quite a few of their custom services on v7 had modified timeout values, so I knew that I was going to have to replace that aspect with a range of generic application defenses.
Between us the customer & I have been translating the v7 rule configuration into v8 rules. Two and half days into this process we reached rule #166 and all of a sudden things seemed to go very wrong. This rule was their generic Internet Services rule and was esentially the first rule with a source of internal/any and a destination of external/any.
As soon as we tried to save this rule the following error appeared (with some details substituted for anonymity):-
NAT setttings on rule 'test-rule-1' conflicts with NAT settings on rule 'Outbound-Services': nat_addr=ipaddr:FW-EXT-220.127.116.11 and nat_addr=ipaddr:Localhost.
What we first noticed was that the FW-EXT network object was actually the same physical IP address as Localhost (the primary external IP address), and so we went about changing the rule so that the NAT values matched-up. When we tried apply the changes, the error returned but with a different conflicting rule. So we embarked on an exercise of addressing each conflicting rule until we reach a rule which, upon closer inspection made me wonder why this problem was happening at all.
If the source and destination criteria of a rule were the same, and the application was also the same, I could easily see how differing NAT values could cause the Firewall some confusion. But, in the end, the only conclusion I could reach regarding the similarities of these rules were that they all used either HTTP or SSL. However, in every case I could see there was some kind of explicit reference in either the source endpoint or destination endpoint component. So why should this result in this NAT error?... Surely the Firewall can see that rule #1 with its specific source and/or destination components is sufficiently different to a rule further down the list which shares the same application definions but with source & destinations set to <Any> and on that basis I would expect it to have no issue with the fact that rule #1 is NATing to a specific external IP address while the more generic outbound rule is using Localhost?
Its likely that the customer will have to raise this as a ticket as he sees it as genuine problem (considering the same rules on his v7 installation have no such issues). But I am trying to understand why this happens in v8 and what can be done to combat it?