Forwarding Service Object (Egress / East-West)¶
Forwarding Service Objects are used in the Forwarding rules. The traffic that matches this type of rule/service is not proxied, and is forwarded as-is. This means there is no deep packet inspection and no Application ID on encrypted traffic. It's recommended to use this for East-West traffic.
Application IDs can be configured as an additional match for traffic. The Application ID can be the Client Application ID (Chrome, Firefox) or the Service Application ID (MySQL, Google etc)
Add Forwarding Service¶
- Navigate to Manage -> Security Policies -> Services
- Click Create
- Click Forwarding
- Provide a name and description
- Optionally select the Application IDs to match
- Valtix supports source NAT on a per service level. For traffic that requires source IP preservation(e.g. East-West traffic), disable SNAT. For Egress traffic, SNAT must always be enabled.
- Configure port parameters as defined below
Option | description |
---|---|
Dst Port | Assign a destination port or a range of destination ports as start-end |
Protocol | TCP, UDP, ICMP |
Tech Notes
IPS, Application ID and other data specific features operate only on non-encrypted traffic.
Tip
If you want to use the same port for East-West and Egress but SNAT off for East-West and SNAT on for Egress, then create 2 service objects and use them in the policy ruleset rules. Its also required to specify Source and Destination address objects to differentiate between the 2 service objects.
For e.g if you create 2 rules as:
- src: any, dest: any, service: east-west-443-no-snat
- src: any, dest: any, service: egress-443-with-snat
the first rule would always match port 443. So create specific source and destinations:
- src: spoke1, dest: spoke2, service: east-west-443-no-snat
- src: any, dest: any, service: egress-443-with-snat
Advisory
Prior to release 2.8, SNAT is enabled at gateway level. It is advised to migrate SNAT configuration to use service level for users upgrading to releases 2.8