How to detect external IP while SNAT is turned on?

HenPorcilan 1

When traffic is facing my Firewall, both SNAT and DNAT are enabled.
SNAT converts the external IP into the FWs IP, so my next hop (WAF) sees the traffic as originated by the FW.

For the DNAT, Microsoft supports the following audit:
TCP request from 20.20.20.20:36538 to 21.21.21.21:443 was DNAT'ed to 10.10.10.10:443

Unfortunately not an existing audit for SNAT, once I want to find the external IP - tried to corollate by timing and using the DNAT logs but can't do that since there is heavy traffic and multiple events at the same time.

Would like to hear if anyone faced that challenge and how to solve it.

KapilAnanth-MSFT 44,556 Reputation points Microsoft Employee

2022-08-22T12:07:07.327+00:00

Hi @HenPorcilan ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you are trying to log SNAT IP from Azure Firewall.

Your observation is correct, currently, Azure Firewall does not have a mechanism to log SNAT IP for a request.

You can consider raising this feature request here: https://feedback.azure.com/d365community/forum/79b1327d-d925-ec11-b6e6-000d3a4f06a4

Cheers,
Kapil
HenPorcilan 1 Reputation point

2022-08-25T02:45:03.303+00:00

Hi There,

I understand you don't have a solution for that problem as for now.
raised a feature request, hope It will be resolved soon since it is significant problem (I can see attacks at the WAF but can't detect and perform blocks at the FW level).
KapilAnanth-MSFT 44,556 Reputation points Microsoft Employee

2022-08-29T06:13:16.763+00:00

Hi @HenPorcilan ,

Sure.
I have already created a work item on this to follow up with our Product Team.

Thank you for your contribution and feedback.

Cheers,
Kapil

Share via

How to detect external IP while SNAT is turned on?

Your answer