diff --git a/interface-definitions/nat.xml.in b/interface-definitions/nat.xml.in
index 0a639bd80..73a748137 100644
--- a/interface-definitions/nat.xml.in
+++ b/interface-definitions/nat.xml.in
@@ -1,158 +1,159 @@
 <?xml version="1.0"?>
 <interfaceDefinition>
   <node name="nat" owner="${vyos_conf_scripts_dir}/nat.py">
     <properties>
       <help>Network Address Translation (NAT) parameters</help>
       <priority>220</priority>
     </properties>
     <children>
       <node name="destination">
         <properties>
           <help>Destination NAT settings</help>
         </properties>
         <children>
           #include <include/nat-rule.xml.i>
           <tagNode name="rule">
             <children>
               #include <include/firewall/inbound-interface.xml.i>
               <node name="translation">
                 <properties>
                   <help>Inside NAT IP (destination NAT only)</help>
                 </properties>
                 <children>
                   <leafNode name="address">
                     <properties>
                       <help>IP address, subnet, or range</help>
                       <valueHelp>
                         <format>ipv4</format>
                         <description>IPv4 address to match</description>
                       </valueHelp>
                       <valueHelp>
                         <format>ipv4net</format>
                         <description>IPv4 prefix to match</description>
                       </valueHelp>
                       <valueHelp>
                         <format>ipv4range</format>
                         <description>IPv4 address range to match</description>
                       </valueHelp>
                       <constraint>
                         <validator name="ipv4-prefix"/>
                         <validator name="ipv4-address"/>
                         <validator name="ipv4-range"/>
                       </constraint>
                     </properties>
                   </leafNode>
                   #include <include/nat-translation-port.xml.i>
                   #include <include/nat-translation-options.xml.i>
                   <node name="redirect">
                     <properties>
                       <help>Redirect to local host</help>
                     </properties>
                     <children>
                       #include <include/nat-translation-port.xml.i>
                     </children>
                   </node>
                 </children>
               </node>
             </children>
           </tagNode>
         </children>
       </node>
       <node name="source">
         <properties>
           <help>Source NAT settings</help>
         </properties>
         <children>
           #include <include/nat-rule.xml.i>
           <tagNode name="rule">
             <properties>
               <help>Rule number for NAT</help>
               <valueHelp>
                 <format>u32:1-999999</format>
                 <description>Number of NAT rule</description>
               </valueHelp>
               <constraint>
                 <validator name="numeric" argument="--range 1-999999"/>
               </constraint>
               <constraintErrorMessage>NAT rule number must be between 1 and 999999</constraintErrorMessage>
             </properties>
             <children>
               #include <include/firewall/outbound-interface.xml.i>
               <node name="translation">
                 <properties>
                   <help>Outside NAT IP (source NAT only)</help>
                 </properties>
                 <children>
                   <leafNode name="address">
                     <properties>
                       <help>IP address, subnet, or range</help>
                       <completionHelp>
                         <list>masquerade</list>
                       </completionHelp>
                       <valueHelp>
                         <format>ipv4</format>
                         <description>IPv4 address to match</description>
                       </valueHelp>
                       <valueHelp>
                         <format>ipv4net</format>
                         <description>IPv4 prefix to match</description>
                       </valueHelp>
                       <valueHelp>
                         <format>ipv4range</format>
                         <description>IPv4 address range to match</description>
                       </valueHelp>
                       <valueHelp>
                         <format>masquerade</format>
                         <description>NAT to the primary address of outbound-interface</description>
                       </valueHelp>
                       <constraint>
                         <validator name="ipv4-prefix"/>
                         <validator name="ipv4-address"/>
                         <validator name="ipv4-range"/>
                         <regex>(masquerade)</regex>
                       </constraint>
                     </properties>
                   </leafNode>
                   #include <include/nat-translation-port.xml.i>
                   #include <include/nat-translation-options.xml.i>
                 </children>
               </node>
             </children>
           </tagNode>
         </children>
       </node>
       <node name="static">
         <properties>
           <help>Static NAT (one-to-one)</help>
         </properties>
         <children>
           <tagNode name="rule">
             <properties>
               <help>Rule number for NAT</help>
             </properties>
             <children>
               #include <include/generic-description.xml.i>
               <node name="destination">
                 <properties>
                   <help>NAT destination parameters</help>
                 </properties>
                 <children>
                   #include <include/ipv4-address-prefix.xml.i>
                 </children>
               </node>
               #include <include/inbound-interface.xml.i>
+              #include <include/firewall/log.xml.i>
               <node name="translation">
                 <properties>
                   <help>Translation address or prefix</help>
                 </properties>
                 <children>
                   #include <include/ipv4-address-prefix.xml.i>
                 </children>
               </node>
             </children>
           </tagNode>
         </children>
       </node>
     </children>
   </node>
 </interfaceDefinition>
diff --git a/op-mode-definitions/show-log.xml.in b/op-mode-definitions/show-log.xml.in
index e13270364..c3aa324ba 100644
--- a/op-mode-definitions/show-log.xml.in
+++ b/op-mode-definitions/show-log.xml.in
@@ -1,731 +1,775 @@
 <?xml version="1.0"?>
 <interfaceDefinition>
   <node name="show">
     <properties>
       <help>Show system information</help>
     </properties>
     <children>
       <tagNode name="log">
         <properties>
           <help>Show last number of messages in master logging buffer</help>
           <completionHelp>
             <list>&lt;1-9999&gt;</list>
           </completionHelp>
         </properties>
         <command>if ${vyos_validators_dir}/numeric --range 1-9999 "$3"; then journalctl --no-hostname --boot --lines "$3"; fi</command>
       </tagNode>
       <node name="log">
         <properties>
           <help>Show contents of current master logging buffer</help>
         </properties>
         <command>journalctl --no-hostname --boot</command>
         <children>
           <leafNode name="audit">
             <properties>
               <help>Show audit logs</help>
             </properties>
             <command>cat /var/log/audit/audit.log</command>
           </leafNode>
           <leafNode name="all">
             <properties>
               <help>Show contents of all master log files</help>
             </properties>
             <command>sudo bash -c 'eval $(lesspipe); less $_vyatta_less_options --prompt=".logm, file %i of %m., page %dt of %D" -- `printf "%s\n" /var/log/messages* | sort -nr`'</command>
           </leafNode>
           <leafNode name="authorization">
             <properties>
               <help>Show listing of authorization attempts</help>
             </properties>
             <command>journalctl --no-hostname --boot --quiet SYSLOG_FACILITY=10 SYSLOG_FACILITY=4</command>
           </leafNode>
           <leafNode name="certbot">
             <properties>
               <help>Show log for certbot</help>
             </properties>
             <command>if sudo test -f /var/log/letsencrypt/letsencrypt.log; then sudo cat /var/log/letsencrypt/letsencrypt.log; else echo "Cerbot log does not exist"; fi</command>
           </leafNode>
           <leafNode name="cluster">
             <properties>
               <help>Show log for Cluster</help>
             </properties>
             <command>cat $(printf "%s\n" /var/log/messages* | sort -nr) | grep -e heartbeat -e cl_status -e mach_down -e ha_log</command>
           </leafNode>
           <leafNode name="conntrack-sync">
             <properties>
               <help>Show log for Conntrack-sync</help>
             </properties>
             <command>journalctl --no-hostname --boot --unit conntrackd.service</command>
           </leafNode>
           <leafNode name="console-server">
             <properties>
               <help>Show log for console server</help>
             </properties>
             <command>journalctl --no-hostname --boot --unit conserver-server.service</command>
           </leafNode>
           <node name="ids">
             <properties>
               <help>Show log for for Intrusion Detection System</help>
             </properties>
             <children>
               <leafNode name="ddos-protection">
                 <properties>
                   <help>Show log for DDOS protection</help>
                 </properties>
                 <command>journalctl --no-hostname --boot --unit fastnetmon.service</command>
               </leafNode>
             </children>
           </node>
           <node name="dhcp">
             <properties>
               <help>Show log for Dynamic Host Control Protocol (DHCP)</help>
             </properties>
             <children>
               <node name="server">
                 <properties>
                   <help>Show log for DHCP server</help>
                 </properties>
                 <command>journalctl --no-hostname --boot --unit kea-dhcp4-server.service</command>
               </node>
               <node name="client">
                 <properties>
                   <help>Show DHCP client logs</help>
                 </properties>
                 <command>journalctl --no-hostname --boot --unit "dhclient@*.service"</command>
                 <children>
                   <tagNode name="interface">
                     <properties>
                       <help>Show DHCP client log on specific interface</help>
                       <completionHelp>
                         <script>${vyos_completion_dir}/list_interfaces --broadcast</script>
                       </completionHelp>
                     </properties>
                     <command>journalctl --no-hostname --boot --unit "dhclient@$6.service"</command>
                   </tagNode>
                 </children>
               </node>
             </children>
           </node>
           <node name="dhcpv6">
             <properties>
               <help>Show log for Dynamic Host Control Protocol IPv6 (DHCPv6)</help>
             </properties>
             <children>
               <node name="server">
                 <properties>
                   <help>Show log for DHCPv6 server</help>
                 </properties>
                 <command>journalctl --no-hostname --boot --unit kea-dhcp6-server.service</command>
               </node>
               <node name="client">
                 <properties>
                   <help>Show DHCPv6 client logs</help>
                 </properties>
                 <command>journalctl --no-hostname --boot --unit "dhcp6c@*.service"</command>
                 <children>
                   <tagNode name="interface">
                     <properties>
                       <help>Show DHCPv6 client log on specific interface</help>
                       <completionHelp>
                         <script>${vyos_completion_dir}/list_interfaces</script>
                       </completionHelp>
                     </properties>
                     <command>journalctl --no-hostname --boot --unit "dhcp6c@$6.service"</command>
                   </tagNode>
                 </children>
               </node>
             </children>
           </node>
           <node name="firewall">
             <properties>
               <help>Show log for Firewall</help>
             </properties>
             <command>journalctl --no-hostname --boot -k | egrep "(ipv[46]|bri)-(FWD|INP|OUT|NAM)"</command>
             <children>
               <node name="bridge">
                 <properties>
                   <help>Show firewall bridge log</help>
                 </properties>
                 <command>journalctl --no-hostname --boot -k | egrep "bri-(FWD|INP|OUT|NAM)"</command>
                 <children>
                   <node name="forward">
                     <properties>
                       <help>Show Bridge forward firewall log</help>
                     </properties>
                     <command>journalctl --no-hostname --boot -k | grep bri-FWD</command>
                     <children>
                       <node name="filter">
                         <properties>
                           <help>Show Bridge firewall forward filter</help>
                         </properties>
                         <command>journalctl --no-hostname --boot -k | grep bri-FWD-filter</command>
                         <children>
                           <tagNode name="rule">
                             <properties>
                               <help>Show log for a rule in the specified firewall</help>
                               <completionHelp>
                                 <path>firewall bridge forward filter rule</path>
                               </completionHelp>
                             </properties>
                             <command>journalctl --no-hostname --boot -k | egrep "\[bri-FWD-filter-$8-[ADRJC]\]"</command>
                           </tagNode>
                         </children>
                       </node>
                     </children>
                   </node>
                   <tagNode name="name">
                     <properties>
                       <help>Show custom Bridge firewall log</help>
                       <completionHelp>
                         <path>firewall bridge name</path>
                       </completionHelp>
                     </properties>
                     <command>journalctl --no-hostname --boot -k | grep bri-NAM-$6</command>
                     <children>
                       <tagNode name="rule">
                         <properties>
                           <help>Show log for a rule in the specified firewall</help>
                           <completionHelp>
                             <path>firewall bridge name ${COMP_WORDS[5]} rule</path>
                           </completionHelp>
                         </properties>
                         <command>journalctl --no-hostname --boot -k | egrep "\[bri-NAM-$6-$8-[ADRJC]\]"</command>
                       </tagNode>
                     </children>
                   </tagNode>
                 </children>
               </node>
               <node name="ipv4">
                 <properties>
                   <help>Show firewall IPv4 log</help>
                 </properties>
                 <command>journalctl --no-hostname --boot -k | egrep "ipv4-(FWD|INP|OUT|NAM)"</command>
                 <children>
                   <node name="forward">
                     <properties>
                       <help>Show firewall IPv4 forward log</help>
                     </properties>
                     <command>journalctl --no-hostname --boot -k | grep ipv4-FWD</command>
                     <children>
                       <node name="filter">
                         <properties>
                           <help>Show firewall IPv4 forward filter log</help>
                         </properties>
                         <command>journalctl --no-hostname --boot -k | grep ipv4-FWD-filter</command>
                         <children>
                           <tagNode name="rule">
                             <properties>
                               <help>Show log for a rule in the specified firewall</help>
                               <completionHelp>
                                 <path>firewall ipv4 forward filter rule</path>
                               </completionHelp>
                             </properties>
                             <command>journalctl --no-hostname --boot -k | egrep "\[ipv4-FWD-filter-$8-[ADRJCO]\]"</command>
                           </tagNode>
                         </children>
                       </node>
                     </children>
                   </node>
                   <node name="input">
                     <properties>
                       <help>Show firewall IPv4 input log</help>
                     </properties>
                     <command>journalctl --no-hostname --boot -k | grep ipv4-INP</command>
                     <children>
                       <node name="filter">
                         <properties>
                           <help>Show firewall IPv4 input filter log</help>
                         </properties>
                         <command>journalctl --no-hostname --boot -k | grep ipv4-INP-filter</command>
                         <children>
                           <tagNode name="rule">
                             <properties>
                               <help>Show log for a rule in the specified firewall</help>
                               <completionHelp>
                                 <path>firewall ipv4 input filter rule</path>
                               </completionHelp>
                             </properties>
                             <command>journalctl --no-hostname --boot -k | egrep "\[ipv4-INP-filter-$8-[ADRJC]\]"</command>
                           </tagNode>
                         </children>
                       </node>
                     </children>
                   </node>
                   <tagNode name="name">
                     <properties>
                       <help>Show custom IPv4 firewall log</help>
                       <completionHelp>
                         <path>firewall ipv4 name</path>
                       </completionHelp>
                     </properties>
                     <command>journalctl --no-hostname --boot -k | grep ipv4-NAM-$6</command>
                     <children>
                       <tagNode name="rule">
                         <properties>
                           <help>Show log for a rule in the specified firewall</help>
                           <completionHelp>
                             <path>firewall ipv4 name ${COMP_WORDS[5]} rule</path>
                           </completionHelp>
                         </properties>
                         <command>journalctl --no-hostname --boot -k | egrep "\[ipv4-NAM-$6-$8-[ADRJC]\]"</command>
                       </tagNode>
                     </children>
                   </tagNode>
                   <node name="output">
                     <properties>
                       <help>Show firewall IPv4 output log</help>
                     </properties>
                     <command>journalctl --no-hostname --boot -k | grep ipv4-OUT</command>
                     <children>
                       <node name="filter">
                         <properties>
                           <help>Show firewall IPv4 output filter log</help>
                         </properties>
                         <command>journalctl --no-hostname --boot -k | grep ipv4-OUT-filter</command>
                         <children>
                           <tagNode name="rule">
                             <properties>
                               <help>Show log for a rule in the specified firewall</help>
                               <completionHelp>
                                 <path>firewall ipv4 output filter rule</path>
                               </completionHelp>
                             </properties>
                             <command>journalctl --no-hostname --boot -k | egrep "\[ipv4-OUT-filter-$8-[ADRJC]\]"</command>
                           </tagNode>
                         </children>
                       </node>
                     </children>
                   </node>
                 </children>
               </node>
               <node name="ipv6">
                 <properties>
                   <help>Show firewall IPv6 log</help>
                 </properties>
                 <command>journalctl --no-hostname --boot -k | egrep "ipv6-(FWD|INP|OUT|NAM)"</command>
                 <children>
                   <node name="forward">
                     <properties>
                       <help>Show firewall IPv6 forward log</help>
                     </properties>
                     <command>journalctl --no-hostname --boot -k | grep ipv6-FWD</command>
                     <children>
                       <node name="filter">
                         <properties>
                           <help>Show firewall IPv6 forward filter log</help>
                         </properties>
                         <command>journalctl --no-hostname --boot -k | grep ipv6-FWD-filter</command>
                         <children>
                           <tagNode name="rule">
                             <properties>
                               <help>Show log for a rule in the specified firewall</help>
                               <completionHelp>
                                 <path>firewall ipv6 forward filter rule</path>
                               </completionHelp>
                             </properties>
                             <command>journalctl --no-hostname --boot -k | egrep "\[ipv6-FWD-filter-$8-[ADRJCO]\]"</command>
                           </tagNode>
                         </children>
                       </node>
                     </children>
                   </node>
                   <node name="input">
                     <properties>
                       <help>Show firewall IPv6 input log</help>
                     </properties>
                     <command>journalctl --no-hostname --boot -k | grep ipv6-INP</command>
                     <children>
                       <node name="filter">
                         <properties>
                           <help>Show firewall IPv6 input filter log</help>
                         </properties>
                         <command>journalctl --no-hostname --boot -k | grep ipv6-INP-filter</command>
                         <children>
                           <tagNode name="rule">
                             <properties>
                               <help>Show log for a rule in the specified firewall</help>
                               <completionHelp>
                                 <path>firewall ipv6 input filter rule</path>
                               </completionHelp>
                             </properties>
                             <command>journalctl --no-hostname --boot -k | egrep "\[ipv6-INP-filter-$8-[ADRJC]\]"</command>
                           </tagNode>
                         </children>
                       </node>
                     </children>
                   </node>
                   <tagNode name="name">
                     <properties>
                       <help>Show custom IPv6 firewall log</help>
                       <completionHelp>
                         <path>firewall ipv6 name</path>
                       </completionHelp>
                     </properties>
                     <command>journalctl --no-hostname --boot -k | grep ipv6-NAM-$6</command>
                     <children>
                       <tagNode name="rule">
                         <properties>
                           <help>Show log for a rule in the specified firewall</help>
                           <completionHelp>
                             <path>firewall ipv6 name ${COMP_WORDS[5]} rule</path>
                           </completionHelp>
                         </properties>
                         <command>journalctl --no-hostname --boot -k | egrep "\[ipv6-NAM-$6-$8-[ADRJC]\]"</command>
                       </tagNode>
                     </children>
                   </tagNode>
                   <node name="output">
                     <properties>
                       <help>Show firewall IPv6 output log</help>
                     </properties>
                     <command>journalctl --no-hostname --boot -k | grep ipv6-OUT</command>
                     <children>
                       <node name="filter">
                         <properties>
                           <help>Show firewall IPv6 output filter log</help>
                         </properties>
                         <command>journalctl --no-hostname --boot -k | grep ipv6-OUT-filter</command>
                         <children>
                           <tagNode name="rule">
                             <properties>
                               <help>Show log for a rule in the specified firewall</help>
                               <completionHelp>
                                 <path>firewall ipv6 output filter rule</path>
                               </completionHelp>
                             </properties>
                             <command>journalctl --no-hostname --boot -k | egrep "\[ipv6-OUT-filter-$8-[ADRJC]\]"</command>
                           </tagNode>
                         </children>
                       </node>
                     </children>
                   </node>
                 </children>
               </node>
             </children>
           </node>
           <leafNode name="flow-accounting">
             <properties>
               <help>Show log for flow-accounting</help>
             </properties>
             <command>journalctl --no-hostname --boot --unit uacctd.service</command>
           </leafNode>
           <leafNode name="https">
             <properties>
               <help>Show log for HTTPs</help>
             </properties>
             <command>journalctl --no-hostname --boot --unit nginx.service</command>
           </leafNode>
           <tagNode name="image">
             <properties>
               <help>Show contents of master log file for image</help>
               <completionHelp>
                 <script>compgen -f /lib/live/mount/persistence/boot/ | grep -v grub | sed -e s@/lib/live/mount/persistence/boot/@@</script>
               </completionHelp>
             </properties>
             <command>less $_vyatta_less_options --prompt=".log, page %dt of %D" -- /lib/live/mount/persistence/boot/$4/rw/var/log/messages</command>
             <children>
               <leafNode name="all">
                 <properties>
                   <help>Show contents of all master log files for image</help>
                 </properties>
                 <command>eval $(lesspipe); less $_vyatta_less_options --prompt=".log?m, file %i of %m., page %dt of %D" -- `printf "%s\n" /lib/live/mount/persistence/boot/$4/rw/var/log/messages* | sort -nr`</command>
               </leafNode>
               <leafNode name="authorization">
                 <properties>
                   <help>Show listing of authorization attempts for image</help>
                 </properties>
                 <command>less $_vyatta_less_options --prompt=".log, page %dt of %D" -- /lib/live/mount/persistence/boot/$4/rw/var/log/auth.log</command>
               </leafNode>
               <tagNode name="tail">
                 <properties>
                   <help>Show last changes to messages</help>
                   <completionHelp>
                     <list>&lt;NUMBER&gt;</list>
                   </completionHelp>
                 </properties>
                 <command>tail -n "$6" /lib/live/mount/persistence/boot/$4/rw/var/log/messages | ${VYATTA_PAGER:-cat}</command>
               </tagNode>
             </children>
           </tagNode>
           <leafNode name="ipoe-server">
             <properties>
               <help>Show log for IPoE server</help>
             </properties>
             <command>journalctl --no-hostname --boot --unit accel-ppp@ipoe.service</command>
           </leafNode>
           <leafNode name="kernel">
             <properties>
               <help>Show log for Linux Kernel</help>
             </properties>
             <command>journalctl --no-hostname --boot --dmesg</command>
           </leafNode>
           <leafNode name="lldp">
             <properties>
               <help>Show log for Link Layer Discovery Protocol (LLDP)</help>
             </properties>
             <command>journalctl --no-hostname --boot --unit lldpd.service</command>
           </leafNode>
-          <leafNode name="nat">
+          <node name="nat">
             <properties>
               <help>Show log for Network Address Translation (NAT)</help>
             </properties>
-            <command>egrep -i "kernel:.*\[NAT-[A-Z]{3,}-[0-9]+(-MASQ)?\]" $(find /var/log -maxdepth 1 -type f -name messages\* | sort -t. -k2nr)</command>
-          </leafNode>
+            <children>
+              <node name="destination">
+                <properties>
+                  <help>Show NAT destination log</help>
+                </properties>
+                <command>journalctl --no-hostname --boot -k | egrep "\[DST-NAT-[0-9]+\]"</command>
+                <children>
+                  <tagNode name="rule">
+                    <properties>
+                      <help>Show NAT destination log for specified rule</help>
+                    </properties>
+                    <command>journalctl --no-hostname --boot -k | egrep "\[DST-NAT-$6\]"</command>
+                  </tagNode>
+                </children>
+              </node>
+              <node name="source">
+                <properties>
+                  <help>Show NAT source log</help>
+                </properties>
+                <command>journalctl --no-hostname --boot -k | egrep "\[SRC-NAT-[0-9]+(-MASQ)?\]"&quot;"</command>
+                <children>
+                  <tagNode name="rule">
+                    <properties>
+                      <help>Show NAT source log for specified rule</help>
+                    </properties>
+                    <command>journalctl --no-hostname --boot -k | egrep "\[SRC-NAT-$6(-MASQ)?\]"</command>
+                  </tagNode>
+                </children>
+              </node>
+              <node name="static">
+                <properties>
+                  <help>Show NAT static log</help>
+                </properties>
+                <command>journalctl --no-hostname --boot -k | egrep "\[STATIC-(SRC|DST)-NAT-[0-9]+\]"</command>
+                <children>
+                  <tagNode name="rule">
+                    <properties>
+                      <help>Show NAT static log for specified rule</help>
+                    </properties>
+                    <command>journalctl --no-hostname --boot -k | egrep "\[STATIC-(SRC|DST)-NAT-$6\]"</command>
+                  </tagNode>
+                </children>
+              </node>
+            </children>
+            <command>journalctl --no-hostname --boot -k | egrep "\[(STATIC-)?(DST|SRC)-NAT-[0-9]+(-MASQ)?\]"</command>
+          </node>
           <leafNode name="ndp-proxy">
             <properties>
               <help>Show log for Neighbor Discovery Protocol (NDP) Proxy</help>
             </properties>
             <command>journalctl --no-hostname --boot --unit ndppd.service</command>
           </leafNode>
           <leafNode name="nhrp">
             <properties>
               <help>Show log for Next Hop Resolution Protocol (NHRP)</help>
             </properties>
             <command>journalctl --no-hostname --boot --unit opennhrp.service</command>
           </leafNode>
           <leafNode name="ntp">
             <properties>
               <help>Show log for Network Time Protocol (NTP)</help>
             </properties>
             <command>journalctl --no-hostname --boot --unit chrony.service</command>
           </leafNode>
           <node name="macsec">
             <properties>
               <help>Show log for MACsec</help>
             </properties>
             <command>journalctl --no-hostname --boot --unit "wpa_supplicant-macsec@*.service"</command>
             <children>
               <tagNode name="interface">
                 <properties>
                   <help>Show MACsec log on specific interface</help>
                   <completionHelp>
                     <path>interfaces macsec</path>
                   </completionHelp>
                 </properties>
                 <command>SRC=$(cli-shell-api returnValue interfaces macsec "$5" source-interface); journalctl --no-hostname --boot --unit "wpa_supplicant-macsec@$SRC.service"</command>
               </tagNode>
             </children>
           </node>
           <node name="openvpn">
             <properties>
               <help>Show log for OpenVPN</help>
             </properties>
             <command>journalctl --no-hostname --boot --unit openvpn@*.service</command>
             <children>
               <tagNode name="interface">
                 <properties>
                   <help>Show OpenVPN log on specific interface</help>
                   <completionHelp>
                     <path>interfaces openvpn</path>
                   </completionHelp>
                 </properties>
                 <command>journalctl --no-hostname --boot --unit openvpn@$5.service</command>
               </tagNode>
             </children>
           </node>
           <node name="pppoe">
             <properties>
               <help>Show log for PPPoE interface</help>
             </properties>
             <command>journalctl --no-hostname --boot --unit "ppp@pppoe*.service"</command>
             <children>
               <tagNode name="interface">
                 <properties>
                   <help>Show PPPoE log on specific interface</help>
                   <completionHelp>
                     <path>interfaces pppoe</path>
                   </completionHelp>
                 </properties>
                 <command>journalctl --no-hostname --boot --unit "ppp@$5.service"</command>
               </tagNode>
             </children>
           </node>
           <leafNode name="pppoe-server">
             <properties>
               <help>Show log for PPPoE server</help>
             </properties>
             <command>journalctl --no-hostname --boot --unit accel-ppp@pppoe.service</command>
           </leafNode>
           <node name="protocol">
             <properties>
               <help>Show log for Routing Protocol</help>
             </properties>
             <children>
               <leafNode name="ospf">
                 <properties>
                   <help>Show log for OSPF</help>
                 </properties>
                 <command>journalctl --boot /usr/lib/frr/ospfd</command>
               </leafNode>
               <leafNode name="ospfv3">
                 <properties>
                   <help>Show log for OSPF for IPv6</help>
                 </properties>
                 <command>journalctl --boot /usr/lib/frr/ospf6d</command>
               </leafNode>
               <leafNode name="bgp">
                 <properties>
                   <help>Show log for BGP</help>
                 </properties>
                 <command>journalctl --boot /usr/lib/frr/bgpd</command>
               </leafNode>
               <leafNode name="rip">
                 <properties>
                   <help>Show log for RIP</help>
                 </properties>
                 <command>journalctl --boot /usr/lib/frr/ripd</command>
               </leafNode>
               <leafNode name="ripng">
                 <properties>
                   <help>Show log for RIPng</help>
                 </properties>
                 <command>journalctl --boot /usr/lib/frr/ripngd</command>
               </leafNode>
               <leafNode name="static">
                 <properties>
                   <help>Show log for static route</help>
                 </properties>
                 <command>journalctl --boot /usr/lib/frr/staticd</command>
               </leafNode>
               <leafNode name="multicast">
                 <properties>
                   <help>Show log for Multicast protocol</help>
                 </properties>
                 <command>journalctl --boot /usr/lib/frr/pimd</command>
               </leafNode>
               <leafNode name="isis">
                 <properties>
                   <help>Show log for ISIS</help>
                 </properties>
                 <command>journalctl --boot /usr/lib/frr/isisd</command>
               </leafNode>
               <leafNode name="nhrp">
                 <properties>
                   <help>Show log for NHRP</help>
                 </properties>
                 <command>journalctl --boot /usr/lib/frr/nhrpd</command>
               </leafNode>
               <leafNode name="bfd">
                 <properties>
                   <help>Show log for BFD</help>
                 </properties>
                 <command>journalctl --boot /usr/lib/frr/bfdd</command>
               </leafNode>
               <leafNode name="mpls">
                 <properties>
                   <help>Show log for MPLS</help>
                 </properties>
                 <command>journalctl --boot /usr/lib/frr/ldpd</command>
               </leafNode>
             </children>
           </node>
           <leafNode name="router-advert">
             <properties>
               <help>Show log for Router Advertisement Daemon (radvd)</help>
             </properties>
             <command>journalctl --no-hostname --boot --unit radvd.service</command>
           </leafNode>
           <leafNode name="snmp">
             <properties>
               <help>Show log for Simple Network Monitoring Protocol (SNMP)</help>
             </properties>
             <command>journalctl --no-hostname --boot --unit snmpd.service</command>
           </leafNode>
           <node name="ssh">
             <properties>
               <help>Show log for Secure Shell (SSH)</help>
             </properties>
             <command>journalctl --no-hostname --boot --unit ssh.service</command>
             <children>
               <node name="dynamic-protection">
                 <properties>
                   <help>Show SSH guard log</help>
                 </properties>
                 <command>journalctl --no-hostname --boot --unit sshguard.service</command>
               </node>
             </children>
           </node>
           <tagNode name="tail">
             <properties>
               <help>Show last n changes to messages</help>
               <completionHelp>
                 <list>&lt;NUMBER&gt;</list>
               </completionHelp>
             </properties>
             <command>tail -n "$4" /var/log/messages | ${VYATTA_PAGER:-cat}</command>
           </tagNode>
           <node name="tail">
             <properties>
               <help>Show last 10 lines of /var/log/messages file</help>
             </properties>
             <command>tail -n 10 /var/log/messages</command>
           </node>
           <leafNode name="vpn">
             <properties>
               <help>Monitor last lines of ALL Virtual Private Network services</help>
             </properties>
             <command>journalctl --no-hostname --boot --unit strongswan.service --unit accel-ppp@*.service --unit ocserv.service</command>
           </leafNode>
           <leafNode name="ipsec">
             <properties>
               <help>Show log for IPsec</help>
             </properties>
             <command>journalctl --no-hostname --boot --unit strongswan.service</command>
           </leafNode>
           <leafNode name="l2tp">
             <properties>
               <help>Show log for L2TP</help>
             </properties>
             <command>journalctl --no-hostname --boot --unit accel-ppp@l2tp.service</command>
           </leafNode>
           <leafNode name="openconnect">
             <properties>
               <help>Show log for OpenConnect</help>
             </properties>
             <command>journalctl --no-hostname --boot --unit ocserv.service</command>
           </leafNode>
           <leafNode name="pptp">
             <properties>
               <help>Show log for PPTP</help>
             </properties>
             <command>journalctl --no-hostname --boot --unit accel-ppp@pptp.service</command>
           </leafNode>
           <leafNode name="sstp">
             <properties>
               <help>Show log for Secure Socket Tunneling Protocol (SSTP) server</help>
             </properties>
             <command>journalctl --no-hostname --boot --unit accel-ppp@sstp.service</command>
           </leafNode>
           <node name="sstpc">
             <properties>
               <help>Show log for Secure Socket Tunneling Protocol (SSTP) client</help>
             </properties>
             <command>journalctl --no-hostname --boot --unit "ppp@sstpc*.service"</command>
             <children>
               <tagNode name="interface">
                 <properties>
                   <help>Show SSTP client log on specific interface</help>
                   <completionHelp>
                     <path>interfaces sstpc</path>
                   </completionHelp>
                 </properties>
                 <command>journalctl --no-hostname --boot --unit "ppp@$5.service"</command>
               </tagNode>
             </children>
           </node>
           <leafNode name="vrrp">
             <properties>
               <help>Show log for Virtual Router Redundancy Protocol (VRRP)</help>
             </properties>
             <command>journalctl --no-hostname --boot --unit keepalived.service</command>
           </leafNode>
           <leafNode name="webproxy">
             <properties>
               <help>Show log for Webproxy</help>
             </properties>
             <command>journalctl --no-hostname --boot --unit squid.service</command>
           </leafNode>
         </children>
       </node>
     </children>
   </node>
 </interfaceDefinition>
diff --git a/python/vyos/nat.py b/python/vyos/nat.py
index 2ada29add..e54548788 100644
--- a/python/vyos/nat.py
+++ b/python/vyos/nat.py
@@ -1,311 +1,311 @@
 # Copyright (C) 2022 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
 # published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 from vyos.template import is_ip_network
 from vyos.utils.dict import dict_search_args
 from vyos.template import bracketize_ipv6
 
 
 def parse_nat_rule(rule_conf, rule_id, nat_type, ipv6=False):
     output = []
     ip_prefix = 'ip6' if ipv6 else 'ip'
     log_prefix = ('DST' if nat_type == 'destination' else 'SRC') + f'-NAT-{rule_id}'
     log_suffix = ''
 
     if ipv6:
         log_prefix = log_prefix.replace("NAT-", "NAT66-")
 
     ignore_type_addr = False
     translation_str = ''
 
     if 'inbound_interface' in rule_conf:
         operator = ''
         if 'name' in rule_conf['inbound_interface']:
             iiface = rule_conf['inbound_interface']['name']
             if iiface[0] == '!':
                 operator = '!='
                 iiface = iiface[1:]
             output.append(f'iifname {operator} {{{iiface}}}')
         else:
             iiface = rule_conf['inbound_interface']['group']
             if iiface[0] == '!':
                 operator = '!='
                 iiface = iiface[1:]
             output.append(f'iifname {operator} @I_{iiface}')
 
     if 'outbound_interface' in rule_conf:
         operator = ''
         if 'name' in rule_conf['outbound_interface']:
             oiface = rule_conf['outbound_interface']['name']
             if oiface[0] == '!':
                 operator = '!='
                 oiface = oiface[1:]
             output.append(f'oifname {operator} {{{oiface}}}')
         else:
             oiface = rule_conf['outbound_interface']['group']
             if oiface[0] == '!':
                 operator = '!='
                 oiface = oiface[1:]
             output.append(f'oifname {operator} @I_{oiface}')
 
     if 'protocol' in rule_conf and rule_conf['protocol'] != 'all':
         protocol = rule_conf['protocol']
         if protocol == 'tcp_udp':
             protocol = '{ tcp, udp }'
         output.append(f'meta l4proto {protocol}')
 
     if 'packet_type' in rule_conf:
         output.append(f'pkttype ' + rule_conf['packet_type'])
 
     if 'exclude' in rule_conf:
         translation_str = 'return'
         log_suffix = '-EXCL'
     elif 'translation' in rule_conf:
         addr = dict_search_args(rule_conf, 'translation', 'address')
         port = dict_search_args(rule_conf, 'translation', 'port')
         if 'redirect' in rule_conf['translation']:
             translation_output = [f'redirect']
             redirect_port = dict_search_args(rule_conf, 'translation', 'redirect', 'port')
             if redirect_port:
                 translation_output.append(f'to {redirect_port}')
         else:
 
             translation_prefix = nat_type[:1]
             translation_output = [f'{translation_prefix}nat']
 
             if addr and is_ip_network(addr):
                 if not ipv6:
                     map_addr =  dict_search_args(rule_conf, nat_type, 'address')
                     if map_addr:
                         if port:
                             translation_output.append(f'{ip_prefix} prefix to {ip_prefix} {translation_prefix}addr map {{ {map_addr} : {addr} . {port} }}')
                         else:
                             translation_output.append(f'{ip_prefix} prefix to {ip_prefix} {translation_prefix}addr map {{ {map_addr} : {addr} }}')
                         ignore_type_addr = True
                     else:
                         translation_output.append(f'prefix to {addr}')
                 else:
                     translation_output.append(f'prefix to {addr}')
             elif addr == 'masquerade':
                 if port:
                     addr = f'{addr} to '
                 translation_output = [addr]
                 log_suffix = '-MASQ'
             else:
                 translation_output.append('to')
                 if addr:
                     addr = bracketize_ipv6(addr)
                     translation_output.append(addr)
 
         options = []
         addr_mapping = dict_search_args(rule_conf, 'translation', 'options', 'address_mapping')
         port_mapping = dict_search_args(rule_conf, 'translation', 'options', 'port_mapping')
         if addr_mapping == 'persistent':
             options.append('persistent')
         if port_mapping and port_mapping != 'none':
             options.append(port_mapping)
 
         if ((not addr) or (addr and not is_ip_network(addr))) and port:
             translation_str = " ".join(translation_output) + (f':{port}')
         else:
             translation_str = " ".join(translation_output)
 
         if options:
             translation_str += f' {",".join(options)}'
 
         if not ipv6 and 'backend' in rule_conf['load_balance']:
             hash_input_items = []
             current_prob = 0
             nat_map = []
 
             for trans_addr, addr in rule_conf['load_balance']['backend'].items():
                 item_prob = int(addr['weight'])
                 upper_limit = current_prob + item_prob - 1
                 hash_val = str(current_prob) + '-' + str(upper_limit)
                 element = hash_val + " : " + trans_addr
                 nat_map.append(element)
                 current_prob = current_prob + item_prob
 
             elements = ' , '.join(nat_map)
 
             if 'hash' in rule_conf['load_balance'] and 'random' in rule_conf['load_balance']['hash']:
                 translation_str += ' numgen random mod 100 map ' + '{ ' + f'{elements}' + ' }'
             else:
                 for input_param in rule_conf['load_balance']['hash']:
                     if input_param == 'source-address':
                         param = 'ip saddr'
                     elif input_param == 'destination-address':
                         param = 'ip daddr'
                     elif input_param == 'source-port':
                         prot = rule_conf['protocol']
                         param = f'{prot} sport'
                     elif input_param == 'destination-port':
                         prot = rule_conf['protocol']
                         param = f'{prot} dport'
                     hash_input_items.append(param)
                 hash_input = ' . '.join(hash_input_items)
                 translation_str += f' jhash ' + f'{hash_input}' + ' mod 100 map ' + '{ ' + f'{elements}' + ' }'
 
     for target in ['source', 'destination']:
         if target not in rule_conf:
             continue
 
         side_conf = rule_conf[target]
         prefix = target[:1]
 
         addr = dict_search_args(side_conf, 'address')
         if addr and not (ignore_type_addr and target == nat_type):
             operator = ''
             if addr[:1] == '!':
                 operator = '!='
                 addr = addr[1:]
             output.append(f'{ip_prefix} {prefix}addr {operator} {addr}')
 
         addr_prefix = dict_search_args(side_conf, 'prefix')
         if addr_prefix and ipv6:
             operator = ''
             if addr_prefix[:1] == '!':
                 operator = '!='
                 addr_prefix = addr_prefix[1:]
             output.append(f'ip6 {prefix}addr {operator} {addr_prefix}')
 
         port = dict_search_args(side_conf, 'port')
         if port:
             protocol = rule_conf['protocol']
             if protocol == 'tcp_udp':
                 protocol = 'th'
             operator = ''
             if port[:1] == '!':
                 operator = '!='
                 port = port[1:]
             output.append(f'{protocol} {prefix}port {operator} {{ {port} }}')
 
         if 'group' in side_conf:
             group = side_conf['group']
             if 'address_group' in group and not (ignore_type_addr and target == nat_type):
                 group_name = group['address_group']
                 operator = ''
                 if group_name[0] == '!':
                     operator = '!='
                     group_name = group_name[1:]
                 output.append(f'{ip_prefix} {prefix}addr {operator} @A_{group_name}')
             # Generate firewall group domain-group
             elif 'domain_group' in group and not (ignore_type_addr and target == nat_type):
                 group_name = group['domain_group']
                 operator = ''
                 if group_name[0] == '!':
                     operator = '!='
                     group_name = group_name[1:]
                 output.append(f'{ip_prefix} {prefix}addr {operator} @D_{group_name}')
             elif 'network_group' in group and not (ignore_type_addr and target == nat_type):
                 group_name = group['network_group']
                 operator = ''
                 if group_name[0] == '!':
                     operator = '!='
                     group_name = group_name[1:]
                 output.append(f'{ip_prefix} {prefix}addr {operator} @N_{group_name}')
             if 'mac_group' in group:
                 group_name = group['mac_group']
                 operator = ''
                 if group_name[0] == '!':
                     operator = '!='
                     group_name = group_name[1:]
                 output.append(f'ether {prefix}addr {operator} @M_{group_name}')
             if 'port_group' in group:
                 proto = rule_conf['protocol']
                 group_name = group['port_group']
 
                 if proto == 'tcp_udp':
                     proto = 'th'
 
                 operator = ''
                 if group_name[0] == '!':
                     operator = '!='
                     group_name = group_name[1:]
 
                 output.append(f'{proto} {prefix}port {operator} @P_{group_name}')
 
     output.append('counter')
 
     if 'log' in rule_conf:
         output.append(f'log prefix "[{log_prefix}{log_suffix}]"')
 
     if translation_str:
         output.append(translation_str)
 
     output.append(f'comment "{log_prefix}"')
 
     return " ".join(output)
 
 def parse_nat_static_rule(rule_conf, rule_id, nat_type):
     output = []
     log_prefix = ('STATIC-DST' if nat_type == 'destination' else 'STATIC-SRC') + f'-NAT-{rule_id}'
     log_suffix = ''
 
     ignore_type_addr = False
     translation_str = ''
 
     if 'inbound_interface' in rule_conf:
         ifname = rule_conf['inbound_interface']
         ifprefix = 'i' if nat_type == 'destination' else 'o'
         if ifname != 'any':
             output.append(f'{ifprefix}ifname "{ifname}"')
 
     if 'exclude' in rule_conf:
         translation_str = 'return'
         log_suffix = '-EXCL'
     elif 'translation' in rule_conf:
         translation_prefix = nat_type[:1]
         translation_output = [f'{translation_prefix}nat']
         addr = dict_search_args(rule_conf, 'translation', 'address')
         map_addr =  dict_search_args(rule_conf, 'destination', 'address')
 
         if nat_type == 'source':
             addr, map_addr = map_addr, addr # Swap
 
         if addr and is_ip_network(addr):
             translation_output.append(f'ip prefix to ip {translation_prefix}addr map {{ {map_addr} : {addr} }}')
             ignore_type_addr = True
         elif addr:
             translation_output.append(f'to {addr}')
 
         options = []
         addr_mapping = dict_search_args(rule_conf, 'translation', 'options', 'address_mapping')
         port_mapping = dict_search_args(rule_conf, 'translation', 'options', 'port_mapping')
         if addr_mapping == 'persistent':
             options.append('persistent')
         if port_mapping and port_mapping != 'none':
             options.append(port_mapping)
 
         if options:
             translation_output.append(",".join(options))
 
         translation_str = " ".join(translation_output)
 
     prefix = nat_type[:1]
     addr = dict_search_args(rule_conf, 'translation' if nat_type == 'source' else nat_type, 'address')
     if addr and not ignore_type_addr:
         output.append(f'ip {prefix}addr {addr}')
 
     output.append('counter')
 
-    if translation_str:
-        output.append(translation_str)
-
     if 'log' in rule_conf:
         output.append(f'log prefix "[{log_prefix}{log_suffix}]"')
 
+    if translation_str:
+        output.append(translation_str)
+
     output.append(f'comment "{log_prefix}"')
 
     return " ".join(output)