Cloud Guard for Azure - LocalGatewayInternal dynamic object for hide NAT

Wojciech140811 — Thu, 14 May 2026 11:00:15 GMT

Hello, i would like to use a Hide NAT feature on an Azure Cloud Guard VMSS. NAT will be done on one arm, eth0 only instances, which pass the traffic to/fom private IP's only, (Hide NAT will hide certain 10.0.0.0 private ranges behind another private IP). No internet access is involved. Load balancer is present in front of VMSS.

This works when i'm using a gateway object in NAT rule as translated source (actual gateway IP), but i guess this will not work well after scale out, as other instances created after scale out will not translate properly using this rule. I would like to use a dynamic object pointing to gateway private eth0 IP in NAT rule. I've created and tried to use LocalGatewayInternal dynamic object, as described in: https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_VMSS_for_Azure/Content/Topics-Azure-VMSS/Configuration.htm , but the traffic hitting NAT rule using this object is being dropped because of unresolved dynamic object, so it does not seem to work. Is there already exising, properly resolved dynamic object which could help in this case?

Thanks,

Wojtek

Re: Cloud Guard for Azure - LocalGatewayInternal dynamic object for hide NAT

Dan_Morris — Fri, 15 May 2026 12:55:49 GMT

Hi Wojtek,

The steps you would like to perform are very close, but a few adjustments are needed.

Architecturally, you need to adjust the interface where the traffic is received and sent. The setup you are attempting is very common, but it requires a slight modification. All non-Internet-bound traffic should be received and sent through eth1, not eth0. The general rule of thumb is:

East-West traffic should always use eth1 (in VMSS and HA deployments in Azure)
Egress and Ingress traffic (to/from the Internet) should always use eth0 (in VMSS and HA deployments in Azure)

The Load Balancer deployed by the ARM template on the frontend (eth0) is an external-facing Load Balancer. The backend (eth1) Load Balancer is a Standard Internal Load Balancer that forwards traffic to the active members.

You should expect the traffic flow to work as follows:

Internal Host SRC → UDR to the Internal LB behind eth1 of the firewall → One of the active members → Hide NAT behind eth1 (as desired) → Internal Host DST

In VMSS deployments, the required Dynamic Objects for this setup should already exist. These are configured during gateway provisioning using CME. The following objects are pushed automatically:

LocalGatewayExternal → Translates to eth0
LocalGatewayInternal → Translates to eth1

You can confirm this by running the following command on the gateways:

dynamic_objects -l

To summarize the required changes for your setup:

Ensure the UDR points traffic to the Internal Load Balancer behind eth1
Configure the Hide NAT rule to use a Dynamic object called LocalGatewayInternal (Name must match 100%)
Keep eth0 dedicated only for Internet ingress/egress traffic
Verify the Dynamic Objects on the gateways using dynamic_objects -l
Confirm that LocalGatewayInternal is matching between the Smart Center and Gateway by running the command dynamic_objects -c on the gateway

This should provide the behavior you are expecting.

Best regards,

Dan Morris | Cloud Security Architect – Cloud Security R&D

topic Cloud Guard for Azure - LocalGatewayInternal dynamic object for hide NAT in Cloud Firewall

Cloud Guard for Azure - LocalGatewayInternal dynamic object for hide NAT

Re: Cloud Guard for Azure - LocalGatewayInternal dynamic object for hide NAT