topic Re: NAT Rule Number 0 R77.30 in General Topics

NAT Rule Number 0 R77.30

m4_prashanth — Sun, 02 May 2021 05:30:14 GMT

Hi there,

We have recently updated our NTP server IP address and on one of the CP Cluster noticed that NTP sync is not happening. While I was checking the logs, the specific NTP traffic is hitting a NAT rule number 0. But on the cluster there is no Hide behind gateway option is not configured. Also I checked the firewall object and NAT is not enabled. What are the other possibilities that result in this behaviour?

I can see the UUID of the NAT rule. With the help of that can I trace the NAT rule in smart dashboard?

Thank You in Advance

Re: NAT Rule Number 0 R77.30

Tal_Paz-Fridman — Sun, 02 May 2021 05:45:43 GMT

It might be possible to search using the UID but I would recommend is upgrading from R77.30 to R80.40 or R81.

Searching using UID in NAT is possible in current versions.

We stopped supporting R77.30 in September 2019:

https://www.checkpoint.com/support-services/support-life-cycle-policy/#software-support

Re: NAT Rule Number 0 R77.30

PhoneBoy — Sun, 02 May 2021 06:59:25 GMT

What is the precise source of the NTP traffic?
If it’s from one of the cluster members, traffic is always hidden behind the cluster IP by default unless disabled by: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk34180&partition=Advanced&product=ClusterXL,

But like my colleague suggests, R77.30 has been End of Support for a while now and you should upgrade to a supported release.

Re: NAT Rule Number 0 R77.30

m4_prashanth — Fri, 04 Jun 2021 12:47:00 GMT

Thank you very much for the KB. Actually the traffic was getting NAT to the cluster vip and after allowing the cluster VIP for NTP, firewall was able to sync with NTP server.

I have couple of questions:

Though the traffic getting NAT to cluster VIP when I run the tcpdump utility on the gateway I still see the physical ip of the interface ip trying to connect to the NTP server. Is there any other options available to capture the traffic from the egress interface to confirm the source ip?

Further I have noticed though perform_cluster_hide_fold option was enabled for R80.20 cluster similar to R77.20, on the NTP server I’m receiving the traffic on the physical interface ip rather than cluster VIP. Is there any other options that will override the NAT.

Thanks in advance

Re: NAT Rule Number 0 R77.30

PhoneBoy — Fri, 04 Jun 2021 22:32:24 GMT

fw monitor should show the traffic at each stage of the firewall chain.
You should be able to see if it is actually natting the traffic appropriately.

Re: NAT Rule Number 0 R77.30

m4_prashanth — Sat, 05 Jun 2021 00:11:03 GMT

Thank you very much