Firewall rules always match on the address which has more information. In other words if the entire internal network is being NATd from 192.168.*.* to 18.104.22.168, Firewall will match on the 192.168.*.* for traffic to and from this network. At the session layer this works out to be pre-NAT on source address, post-NAT on destination address, pre-NAT on source port, and post-NAT on destination port. An easy way to remember this is that it always matches where it gets the most information.
Have more questions? Submit a request