When creating a firewall rule to allow traffic that matches a DNAT rule, what destination IP should be utilized?

When creating a firewall rule to allow traffic that matches a DNAT (Destination Network Address Translation) rule, the destination IP that should be utilized is the PRE-NAT address.

This is because the DNAT process modifies the destination address of incoming traffic to a private IP address within a network for security and routing purposes. When a device outside the network sends packets destined for the public IP assigned to the firewall, those packets initially arrive at that public IP (the PRE-NAT address). The firewall then applies the DNAT rule to change the destination IP address to a private IP address (often within the local area network) before forwarding it.

Thus, when configuring a corresponding firewall rule to allow that traffic, it is important to reference the PRE-NAT address. This ensures that the firewall rule is set up to capture inbound traffic that is intended for the public IP before any translation occurs. This alignment allows for proper processing of allowed traffic through the firewall without any disruption.