https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-change-in-firewall-policy-upon-re-ordering-NAT-rules/m-p/196026#M36567 <P>Hardware: 23500<BR />Version: R81.10 Take 66 (both Gateway and Mgmt)</P><P>Summary: NAT rules were re-ordered. There was a hide NAT rule that is moved under 4 static NAT rules. No other changes made to the policy. Publish and push the policy. Found out that the firewall is using the old order of NAT rules. FW stat shows the correct time of policy push that was completed without any errors or warnings. The "rules.C' was showing the last modified date of the previous install not the last install (after re-ordering). Note that all ojects used in all the related NAT rules are local objects, not Global.</P><P>It was decided to disable all the relevant static and hide NAT rules (total of 5 rules), re-create the new rules above the disabled rules. After the policy is pushed, the correct order of rules took place and the rules.C file shows the last modified date.</P><P>Question is - why in first place a new policy not compiled or what causes where the new set of rules were ignored. Does the rule re-ordering warrant a new policy? Anyone else has similar experience, please share.</P><P>&nbsp;</P> Tue, 24 Oct 2023 12:36:29 GMT Muazzam 2023-10-24T12:36:29Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-change-in-firewall-policy-upon-re-ordering-NAT-rules/m-p/196026#M36567 <P>Hardware: 23500<BR />Version: R81.10 Take 66 (both Gateway and Mgmt)</P><P>Summary: NAT rules were re-ordered. There was a hide NAT rule that is moved under 4 static NAT rules. No other changes made to the policy. Publish and push the policy. Found out that the firewall is using the old order of NAT rules. FW stat shows the correct time of policy push that was completed without any errors or warnings. The "rules.C' was showing the last modified date of the previous install not the last install (after re-ordering). Note that all ojects used in all the related NAT rules are local objects, not Global.</P><P>It was decided to disable all the relevant static and hide NAT rules (total of 5 rules), re-create the new rules above the disabled rules. After the policy is pushed, the correct order of rules took place and the rules.C file shows the last modified date.</P><P>Question is - why in first place a new policy not compiled or what causes where the new set of rules were ignored. Does the rule re-ordering warrant a new policy? Anyone else has similar experience, please share.</P><P>&nbsp;</P> Tue, 24 Oct 2023 12:36:29 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-change-in-firewall-policy-upon-re-ordering-NAT-rules/m-p/196026#M36567 Muazzam 2023-10-24T12:36:29Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-change-in-firewall-policy-upon-re-ordering-NAT-rules/m-p/196048#M36571 <P>Are you sure that a new connection was established after the NAT policy was updated?&nbsp; I had a NAT rule that seemed 'stuck' when I changed the NAT on a GRE connection.&nbsp; Ended up having to 'fw tab -x' delete it from the fw connections table to get the connection to match the updated NAT rule.&nbsp;</P> Tue, 24 Oct 2023 15:19:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-change-in-firewall-policy-upon-re-ordering-NAT-rules/m-p/196048#M36571 Lloyd_Braun 2023-10-24T15:19:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-change-in-firewall-policy-upon-re-ordering-NAT-rules/m-p/196051#M36573 <P>Yes, we have a new traffic that uses the old set of rules.</P><P>Also, on the first re-order of NAT rules (where we have no update to policy), we searched some of the NAT rules UID's and they were not found in the "rules.C" file. After the second change (disable and re-create) the rules.C file get updated and I see all the new UID's in the file.</P><P>&nbsp;</P> Tue, 24 Oct 2023 15:44:31 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-change-in-firewall-policy-upon-re-ordering-NAT-rules/m-p/196051#M36573 Muazzam 2023-10-24T15:44:31Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-change-in-firewall-policy-upon-re-ordering-NAT-rules/m-p/196052#M36574 <P>Sounds like it might be worth a TAC case.</P> <P>Andy</P> Tue, 24 Oct 2023 15:53:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-change-in-firewall-policy-upon-re-ordering-NAT-rules/m-p/196052#M36574 the_rock 2023-10-24T15:53:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-change-in-firewall-policy-upon-re-ordering-NAT-rules/m-p/196056#M36576 <P>TAC case already opened and under investigation. I was wondering if anyone has the same experience.</P><P>&nbsp;</P> Tue, 24 Oct 2023 17:04:17 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/No-change-in-firewall-policy-upon-re-ordering-NAT-rules/m-p/196056#M36576 Muazzam 2023-10-24T17:04:17Z