topic Re: Workaround for manual NAT when security zones are used? in Firewall and Security Management

Workaround for manual NAT when security zones are used?

Nick_Doropoulos — Tue, 05 Mar 2019 08:39:25 GMT

I know that as of R80.10, security zones are not supported with manual NAT. Some of the reasons for creating manual NAT rules as per Check Point's documentation are the following:

Rules that are restricted to specified destination IP addresses and to specified source IP addresses
Translate both source and destination IP addresses in the same packet.
Static NAT in only one direction
Translate services (destination ports)
Rules that only use specified services (ports)
Translate IP addresses for dynamic objects

I was wondering therefore if there are still any workarounds to achieve the above when the customer is using security zones in their policy.

Many thanks in advance.

Re: Workaround for manual NAT when security zones are used?

Mark_Mitchell — Tue, 05 Mar 2019 11:57:08 GMT

Hi Nicholas,

I'm not entirely sure what your question is? As you have already stated that you can't use Security Zones in the NAT policy and that manual NAT's are required for flexibility.

Regards

Mark

Re: Workaround for manual NAT when security zones are used?

Nick_Doropoulos — Tue, 05 Mar 2019 12:24:04 GMT

Hi Mark,

So, say the customer is using security zones in his policies and wants to perform static NAT in one direction or translate IP addresses for dynamic objects. Short of asking the customer to stop using security zones, is there anything else that can be done to accommodate the aforementioned requests?

Re: Workaround for manual NAT when security zones are used?

Maarten_Sjouw — Tue, 05 Mar 2019 14:30:07 GMT

Is the setup of this customer a modular setup with multiple gateways, or is it actually a zone based policy because they are used to that and like it better?

Re: Workaround for manual NAT when security zones are used?

Timothy_Hall — Tue, 05 Mar 2019 14:38:12 GMT

Even with Security Zones in use, one must still define all networks behind each interface for purposes of antispoofing enforcement. For any network that not "flat" (i.e. has additional routed networks beyond the VLAN the firewall is physically attached to) this will typically be represented as a specific group. Those same interface antispoofing groups could be used in manual NAT rules to approximate the effect of Security Zones, but if groups containing a large number of objects are placed into both the source and destination of a manual NAT rule, that can expand out to a very large number of individual NAT rules so watch out. Representing the Internet here can be a bit tricky too, essentially you have to use a group with exclusion in the destination, which can also cause some unexpectedly large expansions.

Example: a group with 100 networks is added to the source of a manual NAT rule, and another group with 100 networks is added to the destination. During policy compilation that will expand out to 10,000 individual NAT rules. In the old days that value could get high enough to cause a policy compilation failure.