[ScreenOS] How to implement the DIP group

  [KB25569] Show Article Properties


This article provides information on how to implement the DIP group.

  • On the firewall, there are two ISP connections - Ethernet1/1 and Ethernet1/3; both are in the Untrust zone.

  • The requirement is to access a server on the Internet, which restricts access form a limited set of IP addresses.

  • In this case, the server will allow connections from and IP addresses:

  • Traditionally, you would create a DIP with one of the IPs and bind it to the security policy fro source-NAT

  • However, in the case of ISP failover, this will create an issue due to the firewall limitation of being unable to bind two DIPs in the same policy.


To work around this limitation, you can use a DIP group, in which the DIP IDs that are created on the Ethernet1/1 and Ethernet1/3 interfaces can be bound. After binding the DIPs to a DIP group, it can be then bound to the policy.

The following configurations are on the device:

Interface configuration on the device:

set interface ethernet1/2 ip
set interface ethernet1/1 ip
set interface ethernet1/3 ip
Configured a DIP on the Ethernet1/1 and Ethernet1/3 interfaces:
set interface ethernet1/1 dip 5
set interface ethernet1/3 dip 6

.192-> get dip

DipId   Dip Low    Dip High   Interface    Attribute      Usage
5  ethernet1/1   port-xlate     n/a
6  ethernet1/3   port-xlate     n/a
Bind these DIPs to a DIP group by using the following commands:
set dip group 7
set dip group 7 member 6
set dip group 7 member 5
Use the DIP group in the policy for translation:
set policy id 1 from "Trust" to "Untrust" "Any-IPv4" "Any-IPv4" "ANY" nat src dip-id 7 permit log 

With this configuration, Firewall will source NAT traffic by selecting a DIP bound to the egress interface.

Modification History:

2019-09-10: Minor edits. Non-technical.

Related Links: