If you only want to allow the Datadog ports use an SNAT instead of a masq rule. Start with a Service Group "Datadog" containing Service definitions for 10514 and 10516. Then a NAT rule like 'SNAT : Any -> Datadog -> Any : from Internal (Address)'. You can make a similar rule for the Web Surfing group. As #2 in Rulz (last updated 2019-04-17) clarifies, the automatic rules created by the configuration daemon (based on the WebAdmin databases) for Web Filtering preclude the need for a second NAT rule. All that said, your masqing solution will work fine. Cheers - Bob
↧