The public-ip destination match enable command enables the public IP address matching function in NAT Server scenarios.
The undo public-ip destination match enable command disables the public IP address matching function in NAT Server scenarios.
By default, this function is disabled.
For example, the original server IP address is 10.1.1.1. After NAT Server is configured, the private IP address is mapped to the public IP address 1.1.1.1. By default, the FW uses its private IP address 10.1.1.1 to match the destination IP address in a security policy. After the public IP address matching function is enabled, the FW will use its public IP address 1.1.1.1 to match the destination IP address in a security policy.
This function changes only the security policy matching mechanism. In actual scenarios, you must set a specific public IP address as the destination IP address of a security policy.
# Prevent traffic destined for a public address (1.1.1.2) from passing through the firewall.
<sysname> system-view [sysname] security-policy [sysname-policy-security] public-ip destination match enable [sysname-policy-security] rule name rule1 [sysname-policy-security-rule1] destination-address 1.1.1.2 [sysname-policy-security-rule1] source-zone untrust [sysname-policy-security-rule1] destination-zone trust [sysname-policy-security-rule1] action deny