topic Re: NAT issue on R77.30 in Firewall and Security Management

NAT issue on R77.30

puneetbansal — Tue, 26 Jul 2022 11:11:55 GMT

Today i meet with strange issue. Below is the summery .

1. We have Checkpoint firewall cluster in Azure running R77.30 version.

2. There are lot of application working on that firewall using the Policy and NAT ( External Interface NAT ).

3. Today when i created new NAT , all the traffic stopped working.

NAT --> We have to publish new application to internet. We are using FW public IP to host the application on different ports and using NAT traffic is getting redirected to internal private IP on ( http or https)

Any suggestion to check , as will not get support from Checkpoint - old version at customer site.

Re: NAT issue on R77.30

_Val_ — Tue, 26 Jul 2022 11:44:04 GMT

Other than moving to the supported version?

Re: NAT issue on R77.30

Chris_Atkinson — Tue, 26 Jul 2022 12:16:32 GMT

Are you able to share more about what and how you configured it?

Eg Auto vs Manual & Static vs Hide.

Without more info any suggestions will be somewhat limited.

Re: NAT issue on R77.30

puneetbansal — Tue, 26 Jul 2022 12:29:05 GMT

We are using Check Point External interface static NAT .

We are using the same to multiple application on different port, all are working fine, but while doing new NAT for new application its creating issue for all the application.

We are crating NAT rule at END .

Re: NAT issue on R77.30

the_rock — Tue, 26 Jul 2022 12:31:58 GMT

You are correct that you would not get any support from TAC on it, since it is indeed unsupported version. I agree with @Chris_Atkinson , we need more info as far as whats exactly configured, so we can help you more.

Re: NAT issue on R77.30

the_rock — Tue, 26 Jul 2022 13:18:46 GMT

Are you able to attach a screenshot?

Re: NAT issue on R77.30

PhoneBoy — Tue, 26 Jul 2022 15:36:10 GMT

We're going to need a LOT more information about what the current configuration is, what precise changes you made, and what was observed in the gateway AFTER the change was made with respect to the traffic.
What was seen in the logs, fw ctl zdebug, etc.
That said, R77.30 has been End of Support for a while now and your efforts would probably be better spent getting the customer on a more recent version that is supported.

Re: NAT issue on R77.30

puneetbansal — Wed, 27 Jul 2022 05:00:27 GMT

Thanks PhoneBoy, We are planning to upgrade.

We are doing interface NAT , it seems be due to some bug in R77.30

02656968

Security Gateway

In rare scenarios, when working with Dynamic Objects, NAT rules are not applied anymore after policy installation or update of software blades signatures. This causes traffic outage for all connections that should undergo NAT.

Re: NAT issue on R77.30

Chris_Atkinson — Wed, 27 Jul 2022 08:55:44 GMT

Resolved almost 5-years ago. Is there no Jumbo installed on this system?

Re: NAT issue on R77.30

puneetbansal — Wed, 27 Jul 2022 13:18:43 GMT

Nope , We are on Take216 .

Re: NAT issue on R77.30

puneetbansal — Wed, 27 Jul 2022 13:26:00 GMT

We took the support of that firewall recently and now we are planning to upgrade.

As the firewall in our support we need to create new rules, but while creating new simple NAT rules ( almost duplicate what we have on firewall almost 90), firewall stopped process all traffic ( even for exiting NAT ) .

Is there any limitation on CP firewall external Interface IP NAT policy in Azure ?

Re: NAT issue on R77.30

PhoneBoy — Wed, 27 Jul 2022 15:03:23 GMT

I'll ask my questions again more precisely:

What is the current configuration look like before you started making changes? Screenshots will go a long way here as will a network diagram.
What is the precise configuration change you made? Again, screenshots will go a long way here.
When you say "firewall stopped process all traffic" again what does that mean? Have you done any troubleshooting with tcpdump, fw ctl zdebug, or anything to understand what's going on?

Regardless, I suspect the issue will be resolved by upgrading from R77.30 to a supported release.

Re: NAT issue on R77.30

Chris_Atkinson — Wed, 27 Jul 2022 16:15:58 GMT

The issue you mentioned above is resolved in Take 292 (or higher).

The only constraint that comes to mind otherwise would be if you're attempting to NAT using well know ports where those are daemons on the Firewall itself.

More generic concerns would be the volume of ports available for NAT given a single IP is used.

Re: NAT issue on R77.30

the_rock — Wed, 27 Jul 2022 15:36:58 GMT

As the guys said, we need way more details. Screenshot, config example, at least something that can help us help you. Without it, we cant really do much, and as you know, TAC will never help you, since its totally unsupported version. @PhoneBoy made excellent point...have you done basic debug, tcpdump, fw monitor?

Re: NAT issue on R77.30

mdz — Mon, 25 Mar 2024 15:29:42 GMT

Hello Team ,

User want to access the device from Jump server provided public IP mapped to device Management IP private .Could you please help us how to configure NAT which NAT will be better choice hide nat/Auto Nat/Manual NAT .Checkpoint device version is R77.30 .Appreciate your prompt response

Re: NAT issue on R77.30

_Val_ — Tue, 26 Mar 2024 10:08:32 GMT

R77.30 is out of support for 15 years now. For your case, you need static NAT to an available public IP address.

Re: NAT issue on R77.30

G_W_Albrecht — Tue, 26 Mar 2024 10:26:14 GMT

Why post this here ? This is a very old post and has not much to do with the original issue !

Re: NAT issue on R77.30

the_rock — Tue, 26 Mar 2024 11:27:43 GMT

Think of it as port forwarding...say your friend wanted to access your home PC from their place. You would need to add an entry in your home router to forward that traffic, and dst would be whatever internal IP your pc is, so say for rdp port would be 3389

Lets take same example here...lets pretend that somewhere from the Internet, someone has to reach your internal server on port 789

rule would be like this for nat:

original packet:src any, port 789, dst say your external IP

dst packet: src any, port 789, dst - your internal server

Makes sense?

And yes, R77.30 has been unsupported for ages now,please install at least R81, as even R80.40 will be unsupported next month 🙂