NAT Firewall
Last updated:2025-06-23 18:07:50
Does Data From NAT Boundary Firewall Pass through the Firewall Twice?
If the NAT firewall's public IP is enabled in the internet boundary switch, outbound traffic will first transit the NAT firewall, then the internet edge firewall.
What Are the Differences between New Mode and Access Mode in NAT Boundary Firewall?
New mode: If there is no NAT Gateway in the current region, the new mode can implement Internet access for specified instances through the built-in NAT feature of the NAT boundary firewall.
Access mode: If there is an existing NAT Gateway in the current region, or you hope the external public network egress IP stays unchanged, the access mode can seamlessly integrate the NAT boundary firewall between the NAT Gateway and CVM instances.
Can NAT Edge Firewall Replace the Original NAT Gateway?
NAT Edge Firewall can replace the original NAT Gateway.
Can NAT Edge Firewall Be Enabled for a Certain Subnet Only?
A firewall switch corresponds to a subnet. You can enable the firewall for all subnets associated with the current subnet's route table simultaneously, or target only the current subnet.
Binding EIP to NAT Edge Firewall Toggle, Will Network Be Interrupted?
Binding does not lead to interruption.
Enabling or Disabling NAT Edge Firewall Toggle for a Certain VPC, Will Network Be Interrupted?
Enable: Due to route changes, a 1-2 second network interruption may occur. If the user only enables a certain subnet, the system will automatically create a new routing table for the current subnet, copy all existing routing policies, add a next hop pointing to the NAT edge firewall in the new routing table, and disable the original public network access routing policy. Therefore, the subnet's internet traffic will transit the NAT edge firewall.
Disable: Due to route changes, a 1-2 second network interruption may occur. If the user only disables a certain subnet, the system will automatically create a new routing table for the current subnet, copy all existing routing policies, and disable the next hop pointing to the NAT edge firewall. The subnet will be disconnected from the Internet.
Configuring Port Forwarding (DNAT) in NAT Edge Firewall Toggle, Does It Support Consecutive Ports?
Port forwarding does not support configuring multiple ports in the same rule. Each DNAT port requires one rule.
Configuring SNAT in NAT Edge Firewall and How to Configure It?
1. Log in to the CFW console, click to select firewall switch > NAT Boundary Switch, and enter the NAT Boundary Switch page.
2. On the NAT Boundary Switch page, click instance configuration > egress binding > create rule in the right operation column.
3. Select the subnet or external IP used by the Virtual Private Cloud, then click Confirm.
How to Confirm If Subnets Have Firewall Enabled?
1. Log in to the CFW console, click to select firewall switch > NAT Boundary Switch, and enter the NAT Boundary Switch page.
2. In the NAT Boundary Switch menu, click the firewall switch page to view all enabled and not enabled subnet info.
NAT Boundary Firewall Switch Instance Configuration - DNS Traffic through NAT Firewall Switch Enabled, Need to Restart Server? No Operation Will Take Effect?
Server restart is not required. It only speeds up configuration activation, same as the effective time for DNS configuration in the VPC console. To refresh network configuration, use the following command:
Linux: executable dhclient
windows: ipconfig /flushdns
NAT Edge Firewall Toggle Automatically Synchronize Assets Period?
10 minutes.
How Many Rules Can Be Configured for NAT Edge Firewall Speed Limit?
100 entries.
NAT Edge Firewall in Access Mode Supports How Many NAT Gateways Simultaneously?
By default, it supports 5 concurrent connections. For exceeding this limit, recommend using a new NAT Boundary Firewall Instance for integration.
Why Is the NAT Edge Firewall Subnet Switch Closed?
1. Default setting factors: The NAT firewall switch is closed in the initial configuration and needs to be manually enabled.
2. Private network and routing table association factors: In a VPC environment, when the highly available VIP switch of the cloud firewall in the routing table is in a specific status, such as traffic overload, maintenance, or upgrade status, it may trigger system logic and cause the NAT firewall switch to close.
Why Can'T the NAT Edge Firewall Subnet Switch Be Turned On?
The asset scale may change within the polling interval in the backend but hasn't been synced yet. You can log in to the CFW console, click Firewall Switch > Internet Boundary Switch > Sync Assets, proactively invoke backend interfaces to re-read and sync subnet asset information, then try to enable it.
How to Replace VPC for NAT Edge Firewall?
On the NAT firewall instance page, select the firewall to change, click More, select access configuration, then reselect access VPC.
How Many VPCs Can NAT Edge Firewall Bind?
No log. Limited.
Why Is the Assigned EIP Access Not Supported after Enabling NAT Edge Firewall?
A newly allocated EIP needs to be bound before it can be accessed.
Is There a Number Limit for NAT Boundary Firewall Instances?
The number of NAT firewall instances is limited by general quota limits. The advanced, enterprise, and flagship editions support 1, 2, and 3 instances, respectively.
Switching a Subnet From NAT Edge Firewall (New Mode) to NAT Gateway Without Affecting the Network?
1. Purchase NAT Gateways for each VPC.
2. Modify the routing table and set the next hop to NAT Gateway.
3. Disable the firewall feature and terminate the firewall instance.
The above operations enable private network resources to access the public network. Since some of the user's applications require allowlist operations for egress IPs, it is recommended to contact related personnel to add the NAT Gateway's EIP to the allowlist. Otherwise, some applications may become inaccessible.
How to Check Data after Blocking by NAT Boundary Firewall?
In the NAT edge firewall's status monitoring - number of connections - session perspective, after performing the blocking operation, refresh the interface. If the original data still exists, the following operations can be performed:
1. After performing a blocking operation, the state of this interface will not update immediately, which is normal. Therefore, it is not recommended to execute this operation consecutively.
2. View the enterprise security group to confirm whether rules are issued. When the automatic distribution button switch of the enterprise security group is in open status, rules are automatically distributed. If not, manual distribution is required.
NAT Edge Firewall Inbound Blocklist/Allowlist Capacity: Match Serial Mode or Bypass Mode?
Capacity matches, ban upper limit matches.
How to Count the Number of Rules in NAT Edge Firewall and VPC Firewall Instances?
Number of rules issued = number of source addresses × number of destination addresses × number of ports × number of protocols.
Number of access source and destination addresses: IP/IP segments and asset types count as 1. Asset groups, asset tags, and Templates are calculated based on the number of split addresses.
Number of destination ports: Count by English comma separation. If there are no English commas, it counts as 1.
Number of protocols: Layer-4 ANY counts as 3, layer-7 ANY counts as 6. HTTP/HTTPS or SMTP/SMTPS counts as 2, single protocol counts as 1.
DNAT Rules Added to NAT Gateway Automatically Sync to NAT Edge Firewall?
DNAT rules added to NAT Gateway before creating a NAT Boundary Firewall Instance will automatically sync to the firewall after enabling the firewall switch. However, rules added to NAT after creating the firewall will not take effect after synchronization. Therefore, users are advised to manually add them in the CFW console.
After Closing or Terminating NAT Edge Firewall, Will DNAT Rules Automatically Sync to NAT Gateway?
After the NAT firewall is terminated, DNAT rules added by users in the CFW console will be synchronized to NAT Gateway. If the NAT Gateway connects to the NAT firewall again, DNAT rules created earlier on the firewall will not be synchronized back automatically.
Will NAT Edge Firewall/VPC Firewall Engine Update Notify Users?
If the engine is updated, the console will prompt a window. Each engine version will prompt only once.
Users can go to the Firewall Toggles > NAT firewalls webpage, click Update engines on the firewall instance tab to check whether the engine is the latest version.
Impact of Exceeding NAT Edge Firewall Bandwidth Limit?
Exceeding bandwidth limits may trigger traffic throttling, possibly causing increased network delay. Access timeout might result in packet loss. It is advisable to scale out bandwidth in time.
If VPC1, VPC2, and VPC3 All Use Dedicated IPs and ALL IPs Are Exhausted, Which IP Will the Left Unbound VPC Use?
If the current remaining IP hasn't been dedicated, the dedicated IP feature cannot be used. The last IP left cannot be selected as dedicated.
NAT Edge Firewall Finally Configured a Full Blocking Rule with No Previous Access Rule, Curl and Ping Test Normal Interception, Why Telnet Test Works?
The access control rule includes layer-7 rules that allow traffic. Because layer-7 rule detection is required, all traffic must first pass the TCP three-way handshake. Therefore, telnet works here.
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No
Feedback