topic R80.10 - Hide behind many question in General Topics

R80.10 - Hide behind many question

VENKAT_S_P — Tue, 27 Jun 2017 20:03:06 GMT

Started loving R80.10, but still need to explore more.

Have a question :Whether R80.10 supports Hide behind many ip address (like range or pool of address), or still we need to divide the sources if the scaling crosses 50k ports.

Re: R80.10 - Hide behind many question

PhoneBoy — Tue, 27 Jun 2017 20:51:09 GMT

It's a little more complicated than just 50,000 connections going to the same destination, as described here: Dynamic NAT port allocation feature

In general, though, you can only specify one address as the source IP for a HIDE address, which should still also apply to R80.10.

Re: R80.10 - Hide behind many question

VENKAT_S_P — Tue, 27 Jun 2017 22:43:49 GMT

probably in future releases.
Thanks Dameon for prompt reply.

Re: R80.10 - Hide behind many question

Timothy_Hall — Sat, 02 Nov 2024 19:41:49 GMT

Sorry to come in so late on this thread, but what I would call "many-to-fewer" hide NAT is most definitely possible via manual NAT rules and has been around since R75. It is not really documented but it definitely does work, subject to the following:

1) Manual NAT must be used

2) In Original Source put the inside network object to hide

3) Translated Source of the manual NAT rule MUST be a IP Address Range object (a network object will not work), configured with the routable range of "fewer" addresses to hide behind

4) By default after adding the range object in Translated Source it will be set to static, right-click and force it to Hide

5) Because you are almost certainly plucking these "fewer" addresses from your routable range of addresses located on the dirty subnet between the firewall's external interface and the perimeter router, you must add manual static proxy ARPs for ALL addresses in the "fewer" range. Failing to add static proxy ARPs for every address in the "fewer" range will cause random-looking failures for some internal hosts and not others.

If you are running R80.10 gateway though check out sk114395: Automatic creation of Proxy ARP for Manual NAT rules on Security Gateway R80.10. Edit: I recently saw a many-to-fewer NAT setup utilizing this new Auto Proxy ARP feature on a R80.10 gateway and it worked great!

As I recall the selection of which "fewer" IP address to hide a particular internal host behind depends on that host's IP address. So if we are using 192.168.1.0/24 internally and hiding behind 129.82.102.32 - 129.82.102.35, internal host 192.168.1.3 might draw 129.82.102.33 for all its connections while 192.168.1.134 might draw 129.82.102.35 for all its connections. I don't think the "fewer" address associated to an internal IP will ever change though (unless the "fewer" IP range changes) so there must be some kind of static hash function at work here. Edit: In R82 it is possible to configure a "fewer" address such that it is always assigned to the same "many" address. This behavior is mentioned here:

sk105302: Traffic NATed behind an Address Range object is always NATed behind the same IP address

The even distribution of internal addresses to external "fewer" addresses will never be perfect of course, but will allow one to go well beyond the 50k limit of concurrent connections to the same destination being hidden by a single hide NAT rule. I just tried it in my R80.10 lab for grins and this setup still works.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Re: R80.10 - Hide behind many question

VENKAT_S_P — Fri, 15 Sep 2017 15:17:35 GMT

Thanks a lot Tim, this really helps.

Re: R80.10 - Hide behind many question

Timothy_Hall — Wed, 06 Dec 2017 15:16:20 GMT

Here is a screenshot from the Second Edition of my book Max Power that nicely summarizes how to set this up:

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

Re: R80.10 - Hide behind many question

Jennifer_Wilson — Fri, 02 Feb 2018 12:03:52 GMT

Cheers Tim, can confirm this works great on a 41K on R76SP.50.

This is with the Dynamic Port allocation turned on (which is default), which we have been told to run off by support as it's causing us issues.

We needed to add a couple of /16s as Hide NAT addresses and this has saved us loads of time as we haven't had to create 500+ objects and NAT rules.

Hopefully it still works OK when we turn off Dynamic NAT port allocation, will let you know.

Re: R80.10 - Hide behind many question

Zaw_Hein_Aung — Sun, 25 Feb 2018 12:41:34 GMT

Hello,

I am not CheckPoint employee, is there any chance that I can buy your book?

I need to configure hide NAT using public IP pool for a customer. Thank you.

Regards

AZH

Re: R80.10 - Hide behind many question

Timothy_Hall — Mon, 26 Feb 2018 13:07:31 GMT

Hi Zaw,

All the steps you need to set up a many-to-fewer NAT are contained earlier in this thread, however if you still want to buy the book head to maxpowerfirewalls.com to look at the different PDF and/or hardcopy purchase options.

Re: R80.10 - Hide behind many question

Jennifer_Wilson — Tue, 13 Mar 2018 16:35:04 GMT

Just confirming this is still working fine after turning Dynamic NAT off (also after having installed Hotfixes 002 and 050 for CCP issues causing blades and chassis to failover).

Re: R80.10 - Hide behind many question

Yuvy_Ruhee — Wed, 30 May 2018 21:50:33 GMT

Just bought the Edition2 of the book and i highly recommend this, specially if you are running R80+, lots if insightful tips covered and best practices

Re: R80.10 - Hide behind many question

Carlos_Machado1 — Thu, 06 Sep 2018 21:24:53 GMT

Hi, Timothy. I was presented with this case today and your answer was very helpful! Still, I'm having trouble with the proxy ARP configuration, since I have to do it manually.

I created an address range object and configured the NAT rule accordingly, but I can't seem to add the proper Proxy ARP entry for source NAT, since I'm having trouble recognizing which would be the advertised IP and the real IP.

Could you please elaborate on this? Thanks in advance.

Re: R80.10 - Hide behind many question

Timothy_Hall — Fri, 07 Sep 2018 12:41:41 GMT

Precisely how the Proxy ARPs are added will depend on whether ClusterXL is in use and some other factors such as hardware platform. Please check out the fairly lengthy sk30197: Configuring Proxy ARP for Manual NAT for the correct steps to use in your specific environment.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Re: R80.10 - Hide behind many question

Vladimir — Tue, 25 Sep 2018 14:06:13 GMT

Tim,

Can you remind me if the Proxy ARP is still necessary when we are configuring manual NAT rule for hiding our encryption domain behind the IP/Range provided by the peer?

Re: R80.10 - Hide behind many question

PhoneBoy — Tue, 25 Sep 2018 15:11:37 GMT

If the packets for those IPs would only arrive encrypted, proxy ARPs shouldn't be necessary.

Re: R80.10 - Hide behind many question

Timothy_Hall — Tue, 25 Sep 2018 16:12:10 GMT

As Dameon mentioned any IP addresses being tunneled by IPSec do not need a proxy ARP (even if they are plucked from your ISP-assigned routable range or dirty subnet) as the outside destination IP address on the ESP packet is just the external IP of the firewall for which it will already automatically answer ARP requests.

For NAT the only time proxy ARPs are required is when "plucking" NAT addresses from a subnet that is directly attached to the firewall itself. In the real world this is most typically the so-called "dirty" subnet sitting between the firewall and the Internet perimeter router. In most implementations all or at least a chunk of the ISP-assigned routable address space exists on the dirty subnet. Any addresses plucked from that directly-attached dirty subnet for NAT will need Proxy ARP service provided by the firewall.

However other portions of ISP-assigned space (whether they be different subnets adjacent or near to the dirty subnet, or a completely different routable subnet assigned by the ISP later when the original one was exhausted) are merely using the dirty subnet as a transit to reach the firewall and do not need Proxy ARPs as a result. There will be static routes on the Internet perimeter router for these other routable subnets designating the firewall's outside address as the next hop, so there is no need for the Internet perimeter router to ARP for the destination IP addresses in those packets. Proxy ARP is usually just for the benefit of the Internet perimeter router, regardless of whether your organization owns it or your ISP manages it.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Re: R80.10 - Hide behind many question

Vladimir — Tue, 25 Sep 2018 16:23:54 GMT

Thank you.

I typically break down the public range and use it's small subnet between gateways/clusters and the ISP router. The other subnets of the public range are forwarded from the router to the external IP of the gateway or cluster for either use in DMZ(s) or NAT. This does remove the need for the Proxy ARP.

Re: R80.10 - Hide behind many question

Kristof_Vermael — Mon, 26 Nov 2018 14:05:04 GMT

Hello,

I'm in the assumption that Proxy ARP is not needed when you translate the source address only. The router will learn the MAC address from the initial packet and everything will work. ( I'm never been in a situation where the return packet exceeded the time-out of the mac table. )

I'm only configuring Proxy ARP when doing a Destination NAT since the first packet will come from a router.

If a customer doesn't like proxy arp, you can always ask your ISP to put host routes to your VIP ip address for your "plucked" IP's.

Re: R80.10 - Hide behind many question

Timothy_Hall — Fri, 21 Jun 2019 08:56:08 GMT

To update this old thread, looks like Check Point has now formally documented this many-to-fewer NAT setup here:

sk142833: How to create manual NAT rules in Many-To-Few mode

Also it has been officially confirmed by Check Point in the thread below that Hide NAT can support more than 50k concurrent connections through the same single Hide NAT address, as long as the destination IP addresses are unique. Never got an answer as to when exactly that changed (I know for a fact that it didn't used to be that way, but that was a VERY long time ago) but I suspect it was version R75:

https://community.checkpoint.com/message/32343

CheckMates Break Out Sessions Speaker

CPX 2019 Las Vegas & Vienna - Tuesday@13:30

Re: R80.10 - Hide behind many question

Bill_Ng — Thu, 31 Jan 2019 15:51:41 GMT

Hi Tim,

Does the NAT space have to be contiguous IP space? Could a network group be used with non contiguous IP space?