Use Network Address Translation (NAT) policies to specify whether source or destination IP addresses and ports are converted between public and private addresses and ports on Layer 3 interfaces. For example, private source addresses can be translated to public addresses on traffic sent from an internal (trusted) zone to a public (untrusted) zone.

The following NAT policy rule translates a range of private source addresses (10.0.0.1 to 10.0.0.100) to a single public IP address (200.10.2.100) and a unique source port number (dynamic source translation). The rule applies only to traffic received on a Layer 3 interface in the internal (trusted) zone that is destined for an interface in the public (untrusted) zone. Because the private addresses are hidden, network sessions initiate from the public network. If the public address is not a Deep Edge interface address (or on the same subnet), the local router requires a static route to direct return traffic to Deep Edge.