After setting up Direct Internet Breakout (DIA) on a Branch Site, it can be seen that packets forwarded to the internet will retain the private IP address as the Source IP.
This will result in packets not returning form public IP destinations.

To resolve this, you can configure Source NAT on the SDWAN to translate the Private Source IP to the Public IP of the Internet interface

---

Instructions

For the site that you are configuring DIA for, navigate to Connections > Branch Site > Firewall and in the Dynamic NAT Policies Section.
Then Click the Plus Sign to create a new NAT policy.

From there, you should specify Outbound, since the traffic will be leaving the Branch site out to the Internet facing Interface.
Also, specify the Service Type as Internet and the Service Name as the Internet service:

Optionally, you can configure the Policy to only operate on specific IP Address on the LAN and for specific Zones.

The Policy should look like this:


After configuring this, you can check that the NAT policy is getting hit, by checking the Monitoring > Connections > Firewall page and setting the Statistics drop down to NAT Policies: