topic Re: PBR and nat in Firewall and Security Management

PBR and nat

dede79 — Fri, 01 Mar 2024 10:52:22 GMT

Hello,

I try to find an alternative for isp redundancy with pbr.

sk167135 nearly describes that but for some reason here the internal network has a public-ip network and so there is no need to talk about hide-nat. I tested pbr so far but selecting hide-behind-gateway always uses the interface ip with the default route is used.

Thanks

Re: PBR and nat

Lesley — Fri, 01 Mar 2024 11:58:19 GMT

Use instead of hide behind gateway option the VIP ip of the outgoing interfaces.

I think you now use automatic NAT, try to make static NAT rule and force it to use correct external IP

Re: PBR and nat

AmirArama — Sun, 03 Mar 2024 16:14:28 GMT

what exactly are you trying to accomplish? going out from specific ISP, without NAT?

so just don't enable NAT on this network object.

if I didn't understand, please elaborate a bit more.

Thanks

Re: PBR and nat

Chris_Atkinson — Mon, 04 Mar 2024 00:49:22 GMT

Did you try configuring your NAT manually?

Dummy object for the NAT with 0.0.0.0 or using Zones may help, but PBR and NAT has some limitations.

Maybe also explore Quantum SD-WAN with your local SE to see if it can help you?

Re: PBR and nat

dede79 — Mon, 04 Mar 2024 07:47:25 GMT

How can I use manuel nat behind Interface upon failover? Alternative for ISP redundancy would require a NAT konfig that works no matter pbr route is active (--> ISP1) or it is down --> (ISP2) - (track pbr routes with monitored IPs)

Re: PBR and nat

Chris_Atkinson — Mon, 04 Mar 2024 07:54:34 GMT

As above historically you could use a host object 0.0.0.0 and it would pick the IP of the outbound interface.

Theoretically you could also assign a different zone to each interface and hence different NAT rules could be specified if needed.

Re: PBR and nat

Lesley — Mon, 04 Mar 2024 19:30:50 GMT

You cannot mix PBR and ISP redundancy:

https://support.checkpoint.com/results/sk/sk167135