Stormshield SN series Configuration Manual page 144

Outgoing interface
ARP publication
The ARP publication option is now assigned to the original destination (traffic before
translation), whose IP address is indeed published, and not to the translated destination.
Traffic after translation
Source of the traffic after translation
"General" tab
Translated source host The rule will apply to the object that you select in this field. The translated source host
Translated source port This field allows specifying the source port used by the source host after translation.
Select a random
translated source port
Click on Ok to confirm your configuration.
"Advanced properties" tab
Load balancing
Load balancing type
Page 144/448
This option allows selecting the outgoing interface for the translated traffic.
By default, the firewall selects it automatically according to the operation and source
and destination IP addresses. It can be modified to restrict the rule to a particular
interface.
This option makes the IP address to be published available via the firewall's MAC
address.
NOTE
refers to the new IP address of the source host, after its translation by NAT.
By default, the "Stateful" module memorizes the source port used and only this port
will then be allowed for return packets. The creation of a source address sharing rule
(masquerading) assigns the value ephemeral_fw to this field.
By selecting this option, the firewall will randomly select the translated source port
from the list (e.g.: ephemeral_fw). This makes it possible to avoid an anticipation of the
following connections as the source ports are assigned consecutively , thereby
strengthening security.
This option allows distributing IP addresses of sources that sent the packet after
translation. The load balancing method depends on the algorithm used.
Several load balancing algorithms are available:
None: No load balancing will be carried out.
Round-robin: This algorithm allows fairly distributing the load among the various IPs of
the selected address range. Each of these source IP addresses will be rotated.
Source IP hash: The source address will be hashed in order to choose the address to
use from the range. This method allows guaranteeing that a given source address will
always be mapped to the same address range.
Connection hash: Users can now choose the hash by connection (source IP address +
source port + destination IP address + destination) as a load balancing method in
their NAT rules. This allows connections from one source to the same server to be
distributed according to the source port and source IP address.
Random: The firewall randomly selects an address from the selected address range
SNS - USER CONFIGURATION MANUAL V.3
sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016
FILTERING AND NAT