How to configure a subnet source IP for SNAT on Watchguard

Configuring SNAT for Sophos, requires allowing /26 subnet as source for source IP but SNAT only allows for one source IP


  • Please explain what you are trying to do.
    It looks to me that you are not doing this the correct way.

    SNAT is for allowing incoming sessions to devices behind your firewall.

    If you want to allow internal devices to get Sophos updates, then that is normally outgoing sessions.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Ain2828

    A static NAT is generally used to forward specific ports from the outside (the internet) to the inside (your internal network.)

    There's a few things that concern me here:
    -Unless you're dealing with something like a Mail appliance or similar that needs internet hosts to be able to initiate requests to it directly, a SNAT may not even be necessary. If this is for endpoint software, for example, you don't generally need to make an inbound rule at all in the same way that you don't need to make an inbound rule for HTTPS traffic to get back to your PC. NAT handles it.

    -If you need to only allow specific IPs to access the rule (for example, that /28) you can put it in the from field instead of any-external. The IPs Sophos is coming from don't need to be in the SNAT action itself.

    Like Bruce mentioned, if you can give us a better idea of what you're trying to do, we can provide better guidance. If you need help determining what exactly you need to put together, I'd suggest opening a support case and attaching/linking any documents you have from sophos so that they can help assist setting up a rule with you.

    -James Carson
    WatchGuard Customer Support

  • edited January 2023

    So scenario is : Mail goes to Sophos for filtering then are delivered to their on premise exchange server. So we are just wanting the delivery on their exchange server to come from sophos only on port TCP 25 .Basically we are wanting to restrict only the Sophos server to communicate the internal exchange server over the Internet .Sophos is in the cloud so it’s external .

  • james.carsonjames.carson Moderator, WatchGuard Representative

    In the from field of the policy that you're making, you'll want to post the /28
    In the to field

    Similar to this:

    (IPs are made up, these are not Sophos' IPs)
    *You're probably going to have to right click and view image, because the forums scale the images down to tiny.

    The "Any-External" in the SNAT action is telling the firewall what interface or IP to listen on. If you only have one external with one IP, you can just leave it as any-external. If you want to specify the IP or interface it listens on, you can do that in the SNAT action.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.