This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
pal
Explorer
‎2020-06-13 03:14 PM

NAT64 with R80.40

This is my first IPv6 implementation on Azure

Lab setup is 

Ext win10: fd5d:7ce8:b6d5:1::4 (10.20.1.6)

fw Ext (eth0): fd5d:7ce8:b6d5:1::a14:205 (10.20.1.4)
fw Int (eth1): fd5d:7ce8:b6d5:2::4 (10.20.2.4)

webs1: 10.20.2.5

My NAT64 rule is 

NAT.jpg

v6-dst.jpg    snat-v4range.jpg

Log shows xlate dst as expected but xlate_src is empty

Snat-missing.jpg

fw6 monitor and tcpdump on eth0 shows fw is sending reset

fwmonitor.jpg

Any help is appreciated!

 

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2020-06-14 08:25 PM

My understanding is that IPv6 is not supported in CloudGuard Gateways in Public Cloud, currently.
You can see it listed as a known limitation here:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
0 Kudos
pal
Explorer
‎2020-06-14 10:58 PM
In response to PhoneBoy

Appreciate your response.  I read MDM, MUH v2 and IPv6 for Management interface are not supported.  Security Gateway limitations mention about default kernel value and some commands.  Please correct me if I missed the feature ID you are referring to.

Setup of (IPv6 LAN - Firewall - IPv6 LAN) end to end communication is working fine on Azure.

I redeployed everything locally with a 4600 appliance and seeing same behavior

snat-missing1.jpg

I am wondering if any additional configuration is required for source NAT range to take effect.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-06-14 11:05 PM
In response to pal

This is stated in: VSECC-1097
But if you can see it in a physical appliance, I recommend a TAC case.
0 Kudos
pal
Explorer
‎2020-06-14 11:12 PM
In response to PhoneBoy

VSECC-1097 applies to R80.20 and below correct?

I have a TAC case open and waiting to be assigned, thanks again.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-06-14 11:17 PM
In response to pal

If it's in the "Known Limitations" SK for R80.40, it applies there as well.
R80.20 was the first version it was documented in (meaning this isn't a new limitation).
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events
    Top