topic Re: Source (hide behind) NAT non gateway IP and multiple ISPs in General Topics

Source (hide behind) NAT non gateway IP and multiple ISPs

cjames88 — Wed, 19 Jun 2024 18:13:36 GMT

I'm fairly new to Checkpoint and I've hit a scenario that I'm having trouble finding documentation on. I have a cluster with 3 ISPs. We do not have BGP so each of these 3 ISPs have a different subnet of public IPs. On our previous Juniper SRX firewalls we would source NAT our Guest WiFi out an address other than the primary IP on the interface. So far I can't find a way to handle this with multiple ISPs on checkpoint. I can see where I can tell a subnet to source NAT behind a specific IP, however I have 3 different IP address this traffic could source nat behind depending on which ISP we are using at the time. We also currently use PBR to route this traffic out one of what would be our backup ISPs.

Re: Source (hide behind) NAT non gateway IP and multiple ISPs

PhoneBoy — Thu, 20 Jun 2024 18:19:48 GMT

I see a couple of options here:

Use ISP Redundancy and the related configuration (possibly related: https://support.checkpoint.com/results/sk/sk174197)
Use a HIDE address of 0.0.0.0 (create as a host object), which I believe will use the IP address of the interface the traffic is routed out of. Not sure if this is formally supported, though.

Re: Source (hide behind) NAT non gateway IP and multiple ISPs

cjames88 — Thu, 20 Jun 2024 18:36:30 GMT

That's actually what we are trying to avoid, we don't want to use the IP address of the interface. I've got that working fine. It's when we want to use a different IP that things are breaking.

Re: Source (hide behind) NAT non gateway IP and multiple ISPs

PhoneBoy — Thu, 20 Jun 2024 22:21:57 GMT

Then your only option is a Dynamic Object that you manage OR a static host object.

Re: Source (hide behind) NAT non gateway IP and multiple ISPs

Chris_Atkinson — Thu, 20 Jun 2024 23:55:00 GMT

Have you tried NAT statements with each interface assigned/representing a different "zone" ?

Re: Source (hide behind) NAT non gateway IP and multiple ISPs

cjames88 — Fri, 21 Jun 2024 01:01:43 GMT

That I had not and I was hoping to avoid placing each ISP into it's zone since it's has it's own set of pitfalls that we've had to deal with on Juniper for years.

Re: Source (hide behind) NAT non gateway IP and multiple ISPs

PhoneBoy — Fri, 21 Jun 2024 15:28:24 GMT

Am curious what issues you ran into with this, just for my own edification.

Re: Source (hide behind) NAT non gateway IP and multiple ISPs

cjames88 — Fri, 21 Jun 2024 15:31:08 GMT

Not so much issues, but it was a lot of extra administrative overhead with additional firewall and NAT rules.

Re: Source (hide behind) NAT non gateway IP and multiple ISPs

cjames88 — Fri, 21 Jun 2024 15:32:53 GMT

I will say the biggest pitfall we ran into was with VPN since they each had their own security zone due to other Junos limitations. Even though we ran iBGP on the tunnels, if we failed over any sessions would get interrupted since that traffic was now technically to and from different zones.

Re: Source (hide behind) NAT non gateway IP and multiple ISPs

PhoneBoy — Fri, 21 Jun 2024 16:37:19 GMT

I don't believe we will have this limitation since Zones were not even supported until R8x and the VPN code has been there from the earliest days of the product.