topic Re: 3600 - NAT port forwarding with WAN DHCP in Firewall and Security Management

3600 - NAT port forwarding with WAN DHCP

Checkper — Sun, 16 Jun 2024 11:07:16 GMT

Hi,

Have an standalone 3600.

One external interface connected to ISP, public-ip is assigned by dhcp.
Another interface is connected to LAN switches and created vlan subinterfaces as default gw for internal networks.

Some servers need to have incoming port forwarding for their services. Have little CP experience, this is now migrated from Palo Alto.

My issue is dynamic public-ip, how could I create fw/nat rules that is using the external interface ip?

It's working when I manually create an host object with the current public-ip.

Outgoing hide-nat is done by "Add automatic address translation rules"

Re: 3600 - NAT port forwarding with WAN DHCP

PhoneBoy — Mon, 17 Jun 2024 22:57:27 GMT

Create manual rules in terms of the object LocalMachine.

Re: 3600 - NAT port forwarding with WAN DHCP

Checkper — Tue, 18 Jun 2024 05:06:33 GMT

Yes, already tried LocalMachine without success.
Seems that incoming traffic is not hitting the NAT rule anymore.

Is it possible to see the value of LocalMachine object?

Reading about dynamic objects now and scripts... not sure that is a good solution

Re: 3600 - NAT port forwarding with WAN DHCP

PhoneBoy — Tue, 18 Jun 2024 15:16:54 GMT

LocalMachine is a dynamic object we manage.
You can use the dynamic_objects CLI command to see the current contents of any given dynamic object.
https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_CLI_ReferenceGuide/Content/Topics-CLIG/FWG/dynamic_objects.htm

Re: 3600 - NAT port forwarding with WAN DHCP

Alex- — Tue, 18 Jun 2024 15:31:34 GMT

What about a security zone and manual NAT: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SecurityManagement_AdminGuide/Topics-SECMG/Security-Zones.htm

Never tried that myself, though.

Re: 3600 - NAT port forwarding with WAN DHCP

Checkper — Tue, 18 Jun 2024 17:17:09 GMT

Good tip, but seems that zones cannot be used when Translated Destination need to be changed from "Original" (Local server ip)

Re: 3600 - NAT port forwarding with WAN DHCP

Checkper — Tue, 18 Jun 2024 17:43:53 GMT

Seems that only dynamic_objects I've made my self is possible to list, no result when I try LocalMachine.

Another issue is policy push when LocalMachine is used in policy, requires target to be DAIP module. sk180341 Same result if I specify target gateway.
Since Mgmt and Data plane isn't separated this is is maybe caused by static ip on Mgmt Interface and DHCP on External interface..?

Not sure what is best practice for this.. possible to separate it sk138672 MDPS but a lot of limits..

Re: 3600 - NAT port forwarding with WAN DHCP

PhoneBoy — Tue, 18 Jun 2024 19:50:58 GMT

MDPS is not relevant for standalone systems.
Did you try enabling DAIP as described here: https://support.checkpoint.com/results/sk/sk166225
I don't think you can enable it in SmartConsole since this is a standalone system, which I don't believe support DAIP.
However, this might enable updating of the LocalMachine object if you have one of your interfaces defined as dynamic.

Re: 3600 - NAT port forwarding with WAN DHCP

Checkper — Wed, 19 Jun 2024 09:55:36 GMT

Tried to enable DAIP as described in sk166225, same result as sk180341 afterwards.
Maybe DAIP not supported for standalone...

Re: 3600 - NAT port forwarding with WAN DHCP

PhoneBoy — Thu, 20 Jun 2024 14:54:13 GMT

The functionality to enable DAIP functionality is only supported on pure gateways (not standalone).
While a dynamic address will still work, you'll have to create and update your own Dynamic Object.
While you could script updating a dynamic_object, if you're using R81.20, you can do a Network Feed object that achieves the same thing.
Create the object as follows:

Note that I have no idea how reliable ipify is as I just found it with a quick Internet search.
However, anything that returns your public IP either in ASCII (like https://api.ipify.com does) or in JSON can be used.
Network Feed objects can be used in the Access Policy and NAT configuration on R81.20+ gateways.

It should also be noted that locally managed Quantum Spark appliances support this use case much better (using Server objects).