https://community.checkpoint.com/t5/Firewall-and-Security-Management/Hide-Internal-Network-Interface-Specific/m-p/240459#M46643 <P>Do you have Quantum SD-WAN enabled? or it's a locally managed Spark SD-WAN?</P> <P>in general, you could just make sure to do double NAT, so F5 will NAT on the CP interface IP as well.</P> <P>if you are using Quantum SD-WAN you can use our 'NAT Per ISP' feature on infinity portal setting 'Hide behind GW' per each ISP/Interface, and on the one you don't want NAT set it to 'According to Smart Console' and in Smart Console make sure you don't have NAT for this networks.</P> <P>&nbsp;</P> Wed, 05 Feb 2025 11:58:38 GMT AmirArama 2025-02-05T11:58:38Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Hide-Internal-Network-Interface-Specific/m-p/240401#M46631 <P>Hey everyone,</P><P>So we have a situation with 4 different ISPs on this SD-WAN configuration. The issue is that the main link goes through an F5 box before hitting the internet, and the F5 does NAT. The other ISPs connect directly to our gateway.</P><P>The question is can we make the "HIDE INTERNAL NETWORK" function interface specific somehow, so that if traffic goes out WAN 1 it does not NAT but if goes out the other WAN links it does?</P><P>The only way I could think of doing this is leave HIDE INTERNAL NETWORK turned off at the gateway level and create specific NAT rules using specific ZONEs for each ISP.</P><P>Any thoughts?</P><P>Thanks in advanced,</P><P>RK</P> Tue, 04 Feb 2025 19:02:56 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Hide-Internal-Network-Interface-Specific/m-p/240401#M46631 RKinsp 2025-02-04T19:02:56Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Hide-Internal-Network-Interface-Specific/m-p/240417#M46632 <P>The option you gave is pretty much how I would do it. Otherwise, that setting to hide internal networks is not interface specific, Im positive of that.</P> <P>Andy</P> Tue, 04 Feb 2025 20:52:48 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Hide-Internal-Network-Interface-Specific/m-p/240417#M46632 the_rock 2025-02-04T20:52:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Hide-Internal-Network-Interface-Specific/m-p/240422#M46634 <P>Here is a good example. I know its R82 lab, but works the same even in R81.xx.</P> <P>Andy</P> <P>&nbsp;</P> Tue, 04 Feb 2025 22:03:39 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Hide-Internal-Network-Interface-Specific/m-p/240422#M46634 the_rock 2025-02-04T22:03:39Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Hide-Internal-Network-Interface-Specific/m-p/240459#M46643 <P>Do you have Quantum SD-WAN enabled? or it's a locally managed Spark SD-WAN?</P> <P>in general, you could just make sure to do double NAT, so F5 will NAT on the CP interface IP as well.</P> <P>if you are using Quantum SD-WAN you can use our 'NAT Per ISP' feature on infinity portal setting 'Hide behind GW' per each ISP/Interface, and on the one you don't want NAT set it to 'According to Smart Console' and in Smart Console make sure you don't have NAT for this networks.</P> <P>&nbsp;</P> Wed, 05 Feb 2025 11:58:38 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Hide-Internal-Network-Interface-Specific/m-p/240459#M46643 AmirArama 2025-02-05T11:58:38Z