Optimize NAT : merge two gateway into a new third one

AleLovaz82 — Thu, 31 Oct 2024 15:55:09 GMT

Hi

I have this situation

Two cluster ,but thread them as GW , GW-A on Domain A and GW-B on Domain B ( I have a multi domain environment )
There is a lot of traffic between public network managed by each one and also FROM INTERNET.

GW A on Domain A

I have a lot of traffic to network managed by GW B that match this nat hide done on GW A

SRC ANY
DST ANY ( it means only public destination,over internet )
SERVICE ANY

SRCxlate PublicIP-Network-A
DSTxlate Original
SERVICExlate Original

(basically a simple nat hide behind a public ip )

When the packet comes to GW B ,on Domain B ,it match this basic *destination static nat*

SRC ANY
DST PublicIP-Network-B
SERVICE https

SRCxlate Original
DSTlate PrivateIP-Network-B
SERVICExlate Original

When i'll merge this two gateway on GW C I need both the NAT above for the traffic to and from Internet and a third one like for the traffic that is generated and directed to public network managed by GW C

SRC ANY
DST PublicIP-Network-B
SERVICE https
SRCxlate PublicIP-Network-A
DSTxlate PrivateIP-Network-B
SERVICExlate https

Because its seems from my test that Checkpoint is not able to match two different nat rule.
This is a tested "workaround" and work,but during the merging of the policy and nat i'll to configure A LOT ( hundreds...) of manual nat like the last one because we have a huge number of public network that do this kinf of traffic between sites.

Is there any smart way to do it ?

Re: Optimize NAT : merge two gateway into a new third one

PhoneBoy — Fri, 01 Nov 2024 14:59:10 GMT

Correct, only one NAT rule is matched per connection.
Which means you'll have to adjust your rules according to the new configuration.

topic Optimize NAT : merge two gateway into a new third one in Firewall and Security Management

Optimize NAT : merge two gateway into a new third one

Re: Optimize NAT : merge two gateway into a new third one