https://community.checkpoint.com/t5/Firewall-and-Security-Management/Validate-the-Manual-NAT-and-access-control-policy-rules/m-p/237365#M46076 <P>Would indeed also recommend to make the rule more specific with a port like for example tcp443</P> <P>Also make sure if needed proxy arp is in place for the public IP. Firewall needs to know the public IP belongs to him.</P> <P>Unless the public IP is in the topology itself of the firewall (configured direct on a interface)</P> <P>Best way to test if arp works correct is to see traffic logs, if you see traffic towards the public IP you know arp works.&nbsp;</P> Wed, 01 Jan 2025 10:06:01 GMT Lesley 2025-01-01T10:06:01Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Validate-the-Manual-NAT-and-access-control-policy-rules/m-p/237358#M46074 <P>Hello Checkmates,</P><P>I want your expert experience to validate the below Manual NAT and access control policy format.&nbsp;</P><P>I want internet users can access our internal server with the public IP_A, Is the below format valid? I am using the same public IP for others servers with different services ports, that's why i am using Manual NAT.</P><TABLE width="567"><TBODY><TR><TD width="567">Manual NAT and Access control policy rule matching&nbsp;</TD></TR><TR><TD>1</TD><TD>NAT rule</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD></TR><TR><TD>name&nbsp;&nbsp;&nbsp;&nbsp;</TD><TD>Original source</TD><TD>original Destination</TD><TD>Translated destination</TD><TD>&nbsp;</TD></TR><TR><TD><STRONG>AAAirport&nbsp;</STRONG></TD><TD><STRONG>any&nbsp;</STRONG></TD><TD><STRONG>Public IP_A</STRONG></TD><TD><STRONG>Private IP_A</STRONG></TD><TD>&nbsp;</TD></TR><TR><TD>2</TD><TD>Access control policy</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>&nbsp;</TD></TR><TR><TD>Name&nbsp;</TD><TD>Source</TD><TD>Destination</TD><TD>&nbsp;</TD><TD>&nbsp;</TD></TR><TR><TD><STRONG>Access_AAAirport</STRONG></TD><TD><STRONG>Any</STRONG></TD><TD><STRONG>Public IP_A</STRONG></TD><TD>&nbsp;</TD><TD>&nbsp;</TD></TR></TBODY></TABLE> Wed, 01 Jan 2025 07:01:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Validate-the-Manual-NAT-and-access-control-policy-rules/m-p/237358#M46074 yeruel 2025-01-01T07:01:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Validate-the-Manual-NAT-and-access-control-policy-rules/m-p/237362#M46075 <P>Hi,</P> <P>If I were you I would differentiate the NAT rules per service port. This allow you to handle the rules furthermore separately.</P> <P>I usually follow this attitude.</P> <P>But should work what you asked.</P> <P>Akos</P> Wed, 01 Jan 2025 08:55:13 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Validate-the-Manual-NAT-and-access-control-policy-rules/m-p/237362#M46075 AkosBakos 2025-01-01T08:55:13Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Validate-the-Manual-NAT-and-access-control-policy-rules/m-p/237365#M46076 <P>Would indeed also recommend to make the rule more specific with a port like for example tcp443</P> <P>Also make sure if needed proxy arp is in place for the public IP. Firewall needs to know the public IP belongs to him.</P> <P>Unless the public IP is in the topology itself of the firewall (configured direct on a interface)</P> <P>Best way to test if arp works correct is to see traffic logs, if you see traffic towards the public IP you know arp works.&nbsp;</P> Wed, 01 Jan 2025 10:06:01 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Validate-the-Manual-NAT-and-access-control-policy-rules/m-p/237365#M46076 Lesley 2025-01-01T10:06:01Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Validate-the-Manual-NAT-and-access-control-policy-rules/m-p/237366#M46077 <P>Hi <a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/28415">@AkosBakos</a>&nbsp;</P><P>I understand, I did different rule1 , rule2 , rule 3 to map the same public IP with private ip differently according to the services port. the above one is just for rule1, I did the same for others rules. So the above NAT rule and access rules format is valid. Right?</P> Wed, 01 Jan 2025 10:07:51 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Validate-the-Manual-NAT-and-access-control-policy-rules/m-p/237366#M46077 yeruel 2025-01-01T10:07:51Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Validate-the-Manual-NAT-and-access-control-policy-rules/m-p/237367#M46078 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/73547">@Lesley</a>&nbsp;</P> <P>I seems, only one Public_IP relevant here, so proxy ARP is not relevant (yet)</P> <P>Yes, access rules are recommended to separate too.</P> <P>Akos</P> Wed, 01 Jan 2025 10:11:32 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Validate-the-Manual-NAT-and-access-control-policy-rules/m-p/237367#M46078 AkosBakos 2025-01-01T10:11:32Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Validate-the-Manual-NAT-and-access-control-policy-rules/m-p/237369#M46079 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/104175">@yeruel</a>&nbsp;</P> <P>I suggest you&nbsp;one-to-one correspondence. One NAT rule belogs to one Access rule. This is the best way.</P> <P>Akos</P> Wed, 01 Jan 2025 10:31:11 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Validate-the-Manual-NAT-and-access-control-policy-rules/m-p/237369#M46079 AkosBakos 2025-01-01T10:31:11Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Validate-the-Manual-NAT-and-access-control-policy-rules/m-p/237370#M46080 <P>Hi <a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/73547">@Lesley</a>&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/28415">@AkosBakos</a>&nbsp;</P><P>1. for access rules, destination will be public IP_A?</P><P>2. If we have more than one public IP for example</P><P>213.66.95.13---External gateway interface<BR />213.66.95.10---will be used for Hide NAT IP address<BR />213.66.95.11, 12 will be used to publish servers for accessing from internet.<BR /><BR />213.66.95.10,11,12 are added in the ARP gaia portal.</P><P>ARP 213.66.95.10, 213.66.95.11, and also 213.66.95.12 in the arp with real ip address 213.66.95.13 and outside interface.</P><P>Any advice please?</P> Wed, 01 Jan 2025 10:35:54 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Validate-the-Manual-NAT-and-access-control-policy-rules/m-p/237370#M46080 yeruel 2025-01-01T10:35:54Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Validate-the-Manual-NAT-and-access-control-policy-rules/m-p/237371#M46081 <P><SPAN>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/104175">@yeruel</a>&nbsp;</SPAN></P> <P><SPAN>"213.66.95.10,11,12 are added in the ARP gaia portal" -&gt; don't forget to add to all members this enties (both cluster members)</SPAN></P> <P><SPAN>The guide is here:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk30197" target="_blank" rel="noopener">https://support.checkpoint.com/results/sk/sk30197</A></SPAN></P> <P><EM>---I deleted my sentence, my wording was misleadning---</EM></P> <P><SPAN>Akos</SPAN></P> Wed, 01 Jan 2025 14:10:27 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Validate-the-Manual-NAT-and-access-control-policy-rules/m-p/237371#M46081 AkosBakos 2025-01-01T14:10:27Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Validate-the-Manual-NAT-and-access-control-policy-rules/m-p/237372#M46082 <P>As long as you see the traffic in the logs (allowed or blocked) you know config is correct on arp level.&nbsp;</P> <P><SPAN>1. for access rules, destination will be public IP_A? - correct&nbsp;</SPAN></P> Wed, 01 Jan 2025 12:19:50 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Validate-the-Manual-NAT-and-access-control-policy-rules/m-p/237372#M46082 Lesley 2025-01-01T12:19:50Z