TTechclick ⚡ XP 0% All lessons
Sophos · Next-Gen Firewall · Rules & NATInteractive · L1 / L2 / L3

Sophos Firewall Rules & NAT — Two Tables, Not One

On Sophos Firewall (SFOS 18 and later) the firewall rule decides whether traffic is allowed; a separate NAT rule decides how the address is translated. This lesson maps the firewall rule table and rule groups, explains the SFOS 18+ split that trips up everyone migrating from old XG, walks the NAT types (SNAT/MASQ, DNAT, full NAT and loopback), and shows how to publish a server — and the one mistake that quietly drops the traffic.

📅 2026-06-19 · ⏱ 16 min · 4 infographics · live packet demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A clear, interactive guide to Sophos Firewall (SFOS 18/19/20+, 2026): how firewall rules work top-down with rule groups and identity, why SFOS 18 split NAT into its own table, the NAT types (SNAT/MASQ, DNAT, full NAT, loopback), and how to publish a server with DNAT plus the #1 mistake — forgetting the allow rule.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Rules & groups

Top-down, first match, identity-based, organised in groups.

 2

The SFOS 18 split

Firewall rules and NAT rules are now two tables.

 3

NAT types

SNAT/MASQ, DNAT, full NAT, loopback, the default MASQ.

 4

Publish & pitfalls

DNAT a server, the allow rule, reflexive access.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. On SFOS 18+, do you set NAT inside the firewall rule like old XG?

Answered in The SFOS 18 split.

2. How does Sophos decide which firewall rule applies?

Answered in Rules & groups.

3. After a DNAT rule publishes a server, is anything else needed?

Answered in Publish & pitfalls.

Most engineers think…

Most people who learned the old Sophos XG model picture the NAT as something you tick on the firewall rule itself — set the masquerade, done. On current Sophos Firewall that mental model quietly breaks things.

Since SFOS 18 the product splits the job into two separate tables: a firewall rule table that answers 'is this traffic allowed?' and a NAT rule table that answers 'how is the address translated?'. They are evaluated independently. A firewall rule can still carry a convenient linked NAT rule for quick source NAT, but DNAT for publishing a server now lives in its own table — and a NAT rule on its own never allows traffic. Understanding that split is exactly what makes server publishing work the first time and what most Sophos interviews probe.

① The firewall rule table & rule groups — top-down, first match

The firewall rule table is an ordered list evaluated top-down, first match wins. The first rule whose conditions match the traffic sets the action — Accept, Drop or Reject — so rule order matters. You can organise related rules into Rule Groups, which are just ordered containers that keep a long policy readable; they do not change the first-match behaviour.

Each rule matches on source and destination zones (LAN, WAN, DMZ, VPN), networks, services (ports and protocols) and a schedule, then applies security profiles — web filtering, application control and IPS — to the allowed traffic, with per-rule logging. Crucially, a rule can be identity-based: it matches on the authenticated user or group, not just an IP. The two rule types are the everyday User / Network rule and the Business Application rule wizard for publishing servers.

Figure 1 — How a firewall rule is matched
Sophos walks the firewall rule table top-down; the first rule that matches decides the action.How a firewall rule is matchedPacket inzone, IP, serviceWalk rulestop-down orderFirst matchconditions metActionaccept/drop/rejectProfilesweb / app / IPS
Sophos walks the firewall rule table top-down; the first rule that matches decides the action.
Order is the whole game

Because matching is top-down, first-match, a broad Accept or Drop placed too high can shadow the specific rule below it. Keep specific rules above general ones, and use Rule Groups to keep that order visible. In an interview, always say 'top-down, first match wins' before anything else.

Quick check · Q1 of 10 · Understand

How does Sophos Firewall decide which firewall rule applies to a packet?

Correct: c. The firewall rule table is evaluated top-down and the first rule whose conditions match decides the action (Accept/Drop/Reject), so rule order matters. Rule Groups only organise the order; they do not change first-match.
👉 So far: Firewall rules are top-down, first match wins. Each rule sets action, zones, networks, services, schedule, identity and security profiles, and can be grouped into Rule Groups for clarity.

② The SFOS 18+ split — firewall rules vs NAT rules

Here is the single most important change, and the one interviews love. In older Sophos XG firmware, the NAT (masquerade) was set on the firewall rule. From SFOS 18 onwards the two are separated into their own tables: the firewall rule table decides whether traffic is allowed; the NAT rule table decides how the address is translated. They are evaluated independently, and the NAT rule table is also top-down.

Linked vs standalone NAT

A firewall rule can still have a linked NAT rule attached for quick source NAT — convenient, but behind the scenes it is still a separate NAT object. The alternative is a standalone NAT rule you create directly in the NAT table, which is what you use for DNAT and full NAT. The practical takeaway: allowing traffic and translating its address are now two different decisions you configure in two different places.

Figure 2 — Old XG vs SFOS 18+ — where NAT lives
The big change: NAT moved out of the firewall rule into its own separate table.Old XG vs SFOS 18+ — where NAT livesOld XG (combined)NAT set on the firewall ruleOne place: the ruleMasquerade ticked inlineEasy to confuse the two jobsSFOS 18+ (separated)Firewall rule = is it allowed?NAT rule = how translated?Two independent tablesLinked NAT for quick SNAT
The big change: NAT moved out of the firewall rule into its own separate table.
📋
Firewall rule
tap to flip

Top-down, first-match rule that decides if traffic is allowed — by zone, network, service, schedule, user identity and security profiles. Action: Accept, Drop or Reject.

🔀
NAT rule (SFOS 18+)
tap to flip

A separate rule in its own table that only translates addresses — SNAT/MASQ, DNAT, full NAT or loopback. It never allows traffic on its own.

🌐
SNAT / MASQ
tap to flip

Source NAT for outbound traffic — rewrites the internal source to the WAN interface IP. The default MASQ rule gives LAN hosts internet access.

🎯
DNAT
tap to flip

Destination NAT for inbound traffic — rewrites the destination so external users reach an internal server. The core of server publishing.

'I set the NAT on the firewall rule' (old XG habit)

On SFOS 18+ that only gets you a linked NAT rule for quick source NAT. For publishing a server you create a separate DNAT rule in the NAT table — and you still need a firewall rule to allow it. Treat 'allow it' and 'translate it' as two separate decisions.

Quick check · Q2 of 10 · Remember

What is the key change in SFOS 18 and later compared with old XG?

Correct: b. SFOS 18 split NAT out of the firewall rule into its own NAT rule table. The firewall rule decides if traffic is allowed; a separate NAT rule decides how the address is translated. Old XG combined the two on one rule.
👉 So far: SFOS 18+ splits firewall rules and NAT into two separate tables: the firewall rule decides if traffic is allowed; a separate NAT rule decides how it is translated. Old XG combined them.

③ NAT types — SNAT/MASQ, DNAT, full NAT and loopback

The NAT rule table holds four shapes you must be able to name. SNAT (source NAT) / MASQ (masquerade) handles outbound traffic — it rewrites the internal source to the WAN interface IP so LAN hosts can reach the internet. DNAT (destination NAT) handles inbound traffic — it rewrites the destination so external users reach an internal server (server publishing / port forwarding). Full NAT translates both source and destination in one rule.

A loopback (reflexive) rule lets internal users reach a published server by its public address from inside the LAN — without it, that traffic fails because it never leaves to the WAN. Sophos ships a default network rule and a default SNAT/MASQ rule so outbound internet works out of the box; you add DNAT, full-NAT and loopback rules as the network grows. Like firewall rules, NAT rule order is top-down.

Figure 3 — The four NAT shapes
One NAT table, four jobs — pick by which addresses must be rewritten and in which direction.The four NAT shapesSNAT / MASQOutbound — source rewritten to the WAN IPDNATInbound — destination rewritten to an internal serverFull NATBoth source and destination translated in one ruleLoopbackInternal users reach a published server by public IP
One NAT table, four jobs — pick by which addresses must be rewritten and in which direction.
Quick check · Q3 of 10 · Apply

LAN hosts need to reach the internet. Which NAT rule handles that?

Correct: a. Outbound internet uses source NAT (masquerade): the internal source IP is rewritten to the WAN interface IP. The default SNAT/MASQ rule provides this out of the box. DNAT is inbound; loopback is for reaching a published server internally.
👉 So far: Four NAT shapes: SNAT/MASQ (outbound, source to WAN IP), DNAT (inbound to a server), full NAT (both), and loopback (internal users reach a published server by its public IP). The default MASQ rule covers outbound.

④ Publishing a server with DNAT — and the pitfall everyone hits

To publish an internal server you create a DNAT rule (directly, or through the Business Application rule wizard, which can also layer WAF reverse-proxy protection on top). But here is the trap that bites almost everyone migrating from old XG: a DNAT rule only translates the address — it does not allow the traffic. You still need a firewall rule that accepts the inbound session from WAN to the server, or the (now-translated) packet hits the default drop.

Don't forget reflexive access

Once it works from outside, internal staff often still can't reach the public URL. That is the loopback case: add a loopback NAT rule so internal users can reach the published server by its public address. When something breaks, read the firewall log to see which rule the session hit and the NAT log to confirm the translation — the answer is in the logs, not a guess.

Figure 4 — Publishing a server takes two rules
A DNAT rule translates the address, but a firewall rule must still allow the session — both ask the same engine.Publishing a server takes two rulesSophos Firewallrules + NAT tablesFirewall rule (allow)DNAT rule (translate)Business App + WAFLoopback ruleFirewall + NAT logs
A DNAT rule translates the address, but a firewall rule must still allow the session — both ask the same engine.

Sneha at Truvelo Logistics, Hyderabad faces this

She publishes the internal web server (10.10.5.20) to the internet with a new DNAT rule on the Sophos Firewall, but external customers get connection timeouts — nothing reaches the server.

Likely cause

On SFOS 18+ the DNAT rule only translates the destination address; it does not allow the traffic. There is no firewall rule permitting WAN to the DMZ server, so the translated packet hits the default drop.

Diagnosis

The NAT rule is correct, but Firewall rules has no Accept rule from WAN to the server. The firewall log shows the inbound packets landing on the default drop rule, while the NAT log shows the DNAT translation happening.

Rules and policies ▸ NAT rules (confirm DNAT) + Firewall rules + Monitor & analyze ▸ Log viewer
Fix

Add a firewall rule (User/Network rule, or the Business Application wizard) that accepts WAN to the DMZ server on the published service, keep the DNAT rule, and order both above any broad drop.

Verify

Re-test from outside — the site loads; the firewall log shows the session hitting the new Accept rule and the NAT log shows the DNAT translation. Add a loopback rule so internal staff can reach the public URL too.

Read the logs, don't guess

When a published server won't respond, open the firewall log to see which rule the inbound session actually hit (often the default drop) and the NAT log to confirm the translation. That single read tells you whether you are missing the allow rule or the NAT rule — no guessing.

▶ Watch a request reach a published web server

How an inbound request to a DNAT'd server is allowed, translated and answered. Press Play for the healthy path, then Break it to see the classic failure.

① Arrive (WAN)A customer in Pune opens https://shop.truvelo.in; the request arrives on the Sophos WAN interface.
② Firewall allowsThe firewall rule table matches WAN to DMZ on the web service and the Accept rule lets the session in.
③ DNAT translatesThe DNAT rule rewrites the public destination to the internal server 10.10.5.20 and forwards the packet.
④ Reply (SNAT)The server responds; the firewall tracks the session and source-NATs the reply back out so the customer gets the page.
Press Play to step through the healthy publish path. Then press Break it.
Quick check · Q4 of 10 · Analyze

You create a DNAT rule to publish a web server but external users get timeouts. What is the most likely cause?

Correct: c. On SFOS 18+ a DNAT rule only translates the address; it never permits traffic. Without a firewall rule that accepts WAN to the server, the translated packet hits the default drop. Add the allow rule alongside the DNAT rule.
👉 So far: Publishing a server needs two things — a DNAT rule to translate and a firewall rule to allow. DNAT alone never permits traffic. Add a loopback rule for internal access and read the logs to confirm.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Outbound LAN traffic to the internet uses which NAT type by default?

Correct: a. Source NAT (masquerade) rewrites the internal source IP to the WAN interface IP for outbound traffic, and Sophos ships a default SNAT/MASQ rule so internet access works out of the box. DNAT is inbound; full NAT does both.
Q6 · Understand

On SFOS 18+, what does the firewall rule decide versus the NAT rule?

Correct: b. Since SFOS 18 the two are separate tables: the firewall rule answers 'is this allowed?' (Accept/Drop/Reject) and the NAT rule answers 'how is the address translated?'. They are evaluated independently.
Q7 · Apply

You must let external customers reach an internal web server. Which combination do you create?

Correct: c. Publishing a server needs both: a DNAT rule to translate the public destination to the internal server, and a firewall rule that accepts the inbound WAN-to-server session. DNAT alone never allows traffic.
Q8 · Analyze

Internal staff cannot reach the published server by its public URL, though external users can. What is missing?

Correct: c. When internal users hit the public address, traffic never leaves to the WAN to be translated. A loopback / reflexive NAT rule lets internal users reach the published server by its public IP from inside the LAN.
Q9 · Evaluate

An interviewer asks why rule order matters on Sophos Firewall. Best answer?

Correct: b. Firewall rules are evaluated top-down and the first match decides the action. A broad Accept or Drop placed above a specific rule will shadow it, so specific rules belong above general ones; Rule Groups help keep that order visible.
Q10 · Evaluate

A published server times out from the internet. What is the fastest, most reliable first diagnostic step?

Correct: d. The logs are authoritative: the firewall log shows whether the inbound session hit an Accept rule or the default drop, and the NAT log confirms the DNAT translation. That tells you immediately whether you are missing the allow rule or the NAT rule — no guessing.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: on SFOS 18+, why isn't a DNAT rule enough to publish a server? Then compare with the expert version.

Expert version: Because since SFOS 18 the firewall rule table and the NAT rule table are two separate, independently evaluated things. The DNAT rule only translates the destination address to the internal server; it never decides whether the traffic is allowed. So the inbound session also needs a firewall rule that accepts WAN to that server — otherwise the translated packet just hits the default drop and external users time out. Publishing a server is always two decisions: allow it (firewall rule) and translate it (NAT rule), plus a loopback rule if internal users must reach it by its public address.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

SFOS
Sophos Firewall OS — the operating system on Sophos Firewall appliances (v18 and later, current in 2026), successor to the older XG firmware.
Firewall rule table
The ordered, top-down, first-match list of rules that decides whether traffic is accepted, dropped or rejected.
Rule Group
An ordered container that groups related firewall rules for clarity and bulk management; it does not change first-match semantics.
User / Network rule
The everyday firewall rule type controlling traffic by zone, network, service, schedule, user identity and security profiles.
Business Application rule
A wizard-driven firewall rule for publishing internal servers via DNAT, optionally protected by WAF.
NAT rule
A rule in the separate NAT table (SFOS 18+) that translates addresses — SNAT/MASQ, DNAT, full NAT or loopback. It never allows traffic on its own.
SNAT / MASQ
Source NAT (masquerade) — rewrites outbound source addresses to the WAN interface IP. The default MASQ rule provides internet access.
DNAT
Destination NAT — rewrites the destination so external users reach an internal server (server publishing / port forwarding).
Full NAT
A NAT rule that translates both the source and destination addresses in one rule.
Loopback / reflexive rule
A NAT rule that lets internal users reach a published server using its public address from inside the LAN.

📚 Sources

  1. Sophos — Sophos Firewall: Add and manage firewall rules (rule types, action, zones, profiles). docs.sophos.com
  2. Sophos — Sophos Firewall: Rules and policies and rule groups. docs.sophos.com
  3. Sophos — Sophos Firewall: NAT rules — SNAT, DNAT, full NAT and loopback. docs.sophos.com
  4. Sophos Community — What's new in SFOS 18: NAT separated from firewall rules. community.sophos.com
  5. Sophos — Sophos Firewall: Business application rules and WAF protection. docs.sophos.com
  6. Sophos — Sophos Firewall: Linked NAT rules and the default MASQ rule. docs.sophos.com

What's next?

Got rules and NAT straight? Next, see how Sophos Firewall and Sophos endpoints share health over the Security Heartbeat — Synchronized Security — to automatically isolate a compromised host the moment it turns red.

Next · All interview lessons → Practice on exam.techclick.in →