Configuring NAT addresses for SMC components

You must configure Locations and contact addresses when network address translation (NAT) is applied to the communications between any of the SMC components.

If there is NAT between communicating SMC components, the translated IP address might have to be defined for system communications.

You use Location elements to configure SMC components for NAT. There is a Default Location to which all elements belong if you do not assign them to a specific Location. If NAT is applied between two SMC components, you must separate them into different Locations and then add a contact address for the component to be contacted.

You can define a Default contact address for contacting an SMC component (defined in the Properties dialog box of the corresponding element). The component’s Default contact address is used in communications when SMC components that belong to another Location contact the component and the component has no contact address defined for its Location.

Figure: Example scenario—using locations



Component Description
Headquarters Location
1 Management/Log server
2 Internet
3 IPS
4 Firewall
Between locations
5 Internet
Branch Office Location
6 Firewall
7 IPS
8 Internet

In the example scenario above, the same Management Server and Log Server manage SMC components both at a company’s headquarters and at the branch office.

NAT could typically be applied at the following points:
  • The firewall at the headquarters or an external router can provide the SMC servers external IP addresses on the Internet. The external addresses must be defined as contact addresses so that the SMC components at the branch offices can contact the servers across the Internet.
  • The branch office firewall or an external router can provide external addresses for the SMC components at the branch office. In this case, the external IP addresses must also be defined as contact addresses so that the Management Server can contact the components.

When contact addresses are needed, it might be enough to define a single new Location element, for example, for the branch office, and to group the SMC components at the branch office into the “Branch Office” Location. The same Location element could also be used to group SMC components at any other branch office when they connect to the SMC servers at the headquarters.

To be able to view logs, the administrators at the branch office must select the “Branch Office” Location in the Management Client.

Configuration overview

  1. Define Location elements.
  2. Define contact addresses for the Management Servers and Log Servers.
  3. Select the Location for your Management Client.
  4. Select the Locations for NGFW Engines when you create the engine elements.