topic Re: dynamic SNAT in General Topics

dynamic SNAT

AkosBakos — Wed, 04 Jun 2025 11:00:29 GMT

Hi team,

I got an interesting task what I need to deploy.

I need to create a contitional NAT rule:

If: "IP_A" is reacable, I have to use SNAT_A IP in the sourceNAT
If: "IP_A" is NOT reacable, I have to use SNAT_B IF in the sourceNAT

This is not a trivilal ISP redundancy setup, don't mix it. Both traffic should use the same ETH interface when leaving the gateway.

I welcome all ideas.

Akos

Re: dynamic SNAT

Alex- — Wed, 04 Jun 2025 13:28:54 GMT

You could use a station which monitors IP A, and if not reachable, starts an automation using the Management API to change the NAT translated sourced in the NAT rule identified by UID. This change is reverted via another automation when IP A is reachable again.

Re: dynamic SNAT

AkosBakos — Wed, 04 Jun 2025 13:33:26 GMT

Hi Alex,

Sounds great, but a policy install will be necessary, right? I will think about it.

Akos

Re: dynamic SNAT

Alex- — Wed, 04 Jun 2025 15:52:01 GMT

Yes it would require a policy install. Alternately, you could always have the default NAT rule above your backup NAT rule, so that in case of reachability change you disable or enable the generally used NAT rule. Different object manipulation, depends on your policy setup.

At least with the API, you have full audit of what happened when. Also it gives you verification options which could be trickier with a shenanigans-based approach.

Re: dynamic SNAT

JozkoMrkvicka — Wed, 04 Jun 2025 19:26:43 GMT

I second @Alex- 's idea, just couple of notes:

1. If firewall from which you want to check IP_A is managed from the same management, you can use management to connect to firewall over SIC (cprid_util). If return value of ping is 0, IP_A is reachable, otherwise not reachable.

2. Create both NAT rules manually and save both NAT rule UIDs. One of NAT rule will be always disabled, second NAT rule will be always enabled. Depending if IP_A is reachable or not, first NAT rule with already known UID will be disabled, second NAT rule with already known UID will be enabled and vice versa.

3. script will be run on management every XY minutes and do needed action once change is detected, including policy push.

Re: dynamic SNAT

CheckPointerXL — Wed, 04 Jun 2025 21:53:51 GMT

Instead, try to use zone into nat rules

Re: dynamic SNAT

the_rock — Wed, 04 Jun 2025 22:59:40 GMT

I agree with that 100% @CheckPointerXL

Re: dynamic SNAT

the_rock — Sun, 08 Jun 2025 22:07:35 GMT

Hey brother,

Were you able to figure this out?

Andy