Support Center > Search Results > SecureKnowledge Details
"Invalid Object in Source of Address Translation Rule #" when installing / verifying policy Technical Level
  • Scenario 1 When installing / verifying the security policy users see the following warning:
    Installation Targets	Version	   Policy Type	        Details
    fw_cluster	        R7x.xx	   Network Security     Invalid Object in Source of Address Translation Rule #. The range size of Original and Translated columns must be the same.
    fw_cluster              R7x.xx	   Network Security     Policy verification failed.
    fw_cluster	        R7x.xx	   Network Security     Operation ended with errors.
  • Scenario 2 Policy installation fails with “invalid object in original source of address translation rule xxx. the valid objects are: host.gateway. network. address range and route”.

Scenario 1

This is caused by trying to create a manual NAT rule which translates a whole network to a single IP while the NAT method is set to "Static".

The "Static" NAT method is for 1:1 translations only (host:host, network:network) whereas the "Hide" NAT method is for 1:many translations (host:network).

Scenario 2

That rule contains a Group of "Group with exclusion".

Group of type "Group with exclusion" is not supported in NAT rulebase


Scenario 1

In order to hide a whole network behind a single IP, you need to use "Hide" as the NAT method. To change it follow this procedure:

  1. Right-click the translated host.
  2. Select "NAT method..." from the drop-down menu.
  3. Choose "Hide".

You can tell which hide method is being used by looking at the lower-right side of the translated object. For "Static", there is a red "S"; For "Hide", there is a red "H".


Scenario 2

Delete the Group and rebuild it as "Simple Group" object.

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document