DNAT traffic selection is performed via a nat-classifier. Nat-classifier is defined under config>service>nat hierarchy and is referenced within the nat-policy.
config>service>nat # nat-classifier <name> create
default-action {dnat|forward} [ip-addr <ip-address>]
default-dnat-ip-address <ip-addr>
description <description-string>
entry <entry-id> create
action {dnat|forward}[ip-addr <ipv4-address>]
description <description-string>
match protocol {tcp | udp}
match dst-port range start <port-number> end <port-number>
match foreign-ip <ip-address>
exit
default-dnat-ip-address is used in all match criteria that contain DNAT action without specific destination IP address. However, the default-dnat-ip-address is ignored in cases where IP address is explicitly configured as part of the action within the match criteria.
default-action is applied to all packets that do not satisfy any match criteria.
forward (forwarding action) has no effect on the packets and transparently forwards packets through the nat-classifier.
By default, packets that do not match any matching criteria are transparently passed through the classifier.