DESCRIPTION: Why does the "Nat mapping" message appear frequently in the logs, and why does it sometimes show 0.0.0.0 and sometimes a specific IP address?
Why does the "Nat mapping" message appear frequently in the logs, and why does it sometimes show 0.0.0.0 and sometimes a specific IP address?
The frequency of the log is an expected behaviour, especially when the logging level is set to a higher level.
These NAT (Network Address Translation) mapping messages are shown for valid and genuine traffic, as thiscan be confirmed by checking the notes section under details of these logs.
The logs have 0.0.0.0 when the traffic matches the default nat policy which does not perform NAT. It is a no-nat nat policy.
For example: In the above screen screenshots you can see that it is 0.0.0.0 when traffic is with the same source and destination interface. It can be any protocol but traffic does not require any nat.
In the case of the other nat policy logs, they are matching a particular outband nat policy
The no-nat NAT policy is shown below
The default NO-NAT NAT policy is highlighted above which when hit will have no IP address and as a result will have 0.0.0.0 in the NAT log message.
As an example from the screenshot above, X1, and X3 are WAN interfaces and when traffic from X0 is sent over X1 and X3, it will hit the outbound NAT policy which translates to X1 and X3 respectively resulting in log messages including an IP address whereas when traffic is from X0 > X0 or between interfaces which do not have a specific NAT will fall under the default NAT policy highlighted above and log messages will show them as 0.0.0.0.