LAN NAT address issue

Bazz_Tars — Sun, 21 Mar 2021 20:22:04 GMT

Hi All

Any help on the below please?

Client is running a small network however part of the LAN network goes through a internal gateway device where that portion of that LAN subnet is terminated.
That GW device then NAT's those addresses behind its direct connection it has to the Checkpoint Firewall using a /30 address range

When I look at the FW logs I only see that GW devices IP <10.0.8.2>, the Firewall then also does not apply any of the policies to the devices behind that internal GW

Is there anyway for the Firewall to see that Natted subnet so polices can be applied?

It did initially pick up that subnet as spoofed addresses, however I disabled that in the CLI so now it only see the internal GW address and any devices that are directly connected to the firewall on the WiFi

Device<10.0.2.6 --- GW<10.0.2.1> NAT GW direct connection to fw <10.0.8.2> ---- <10.0.8.1>FW --- WAN fibre breakout

Thank you

Barry

Re: LAN NAT address issue

PhoneBoy — Sun, 21 Mar 2021 21:19:32 GMT

What model exactly is the Check Point gateway in this case?
Since you posted this in the SMB space, we'll assume it's one of the SMB appliances (700/1400/1500/1800).

If the internal gateway is natting the subnet before the Check Point gateway sees it, there's no way to see those addresses unless the gateway does a "proxy" and adds an XFF header.
Even then, that will probably only work for HTTP traffic.
Otherwise, what should happen is the gateway should NOT NAT that subnet and the Check Point gateway should have a route pointing back to that network through that gateway.
This should also resolve the anti-spoofing issue as well, since anti-spoofing configuration is based on the routing table (on SMB appliances).

topic Re: LAN NAT address issue in Spark Firewall (SMB)

LAN NAT address issue

Re: LAN NAT address issue