- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- Cloud Network Security
- :
- Discussion
- :
- Re: R82 Management behind 3rd party NAT - Call for...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
R82 Management behind 3rd party NAT - Call for EA customers
Hi All,
R82 will introduce a new ability to simplify the use of management in public cloud.
The feature, known as “Management behind NAT”, simplifies the experience of managing GWs from a public cloud management using public IPs (As public IPs are netted be the CSPs).
We are looking for EA customers to join R82 EA program.
R82 EA program benefits:
- Ability to try out and influence Check Point products
- Direct R&D support
- Check Point full assistance with all steps
Customers' requirements: (one of the following)
- Customers with MDS in Public Cloud + Gateways in a remote network
- Customers with 3rd party NAT devices that don't want to use dummy objects
- Customers of Management behind NAT that use the registry SKs
Background:
R81.20 and below solution was mainly designed for NAT performed by another Check Point Gateway.
Illustration from the Management admin guide.
Issues with existing solution:
- The solution sometimes required manual work-around (edit registry values) on the Gateways as described in sk171055 & sk171665
- When the NAT was done by a 3rd party NAT device or by a public cloud vendor the NAT configuration required the usage of dummy objects.
Main use-case for that is MDS in the Public Cloud - sk181701
MDS in Public Cloud topology:
R82 Main changes:
- All configurations are in SmartConsole, no need to update registry values on the Gateways – See “Connection from Security Gateways to this server” in the screenshot below
- Increased granularity to allow override configurations on the gateway object – for environments with both:
- Gateways that communicate with the original IP address
- Gateways that communicate with the translated IP address
- Add support for NAT by 3rd party NAT device or public cloud - See “Do not create automatic NAT rules” in the screenshot below.
- The new capabilities are supported (for now) only on R82 gateways
The “Management/Log” is a new tab in the Gateway object
We will be delighted to have you as an EA customer and provide close support during the process.
Please contact me if you are interested or if you have any questions.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Very good feature indeed!
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perhaps not the correct thread for this question, but does anyone know if Checkpoint have finally removed the need for local.arp when doing manual NAT in R82?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I never recall having to this after R81 base.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this documented anywhere that the requirement for local.arp is no longer needed for manual NAT from R81.10?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not that I know of.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You don't need to deal direcrly with local.arp file. But you have a clish command set arp proxy for that.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is what I though, so the idea is entries are added via CLISH and in turn this is added to the local.arp file, now for VSX I can add an entry in the CLI however no local.arp file is created and entries added.
I was looking at SK30197 (old downloaded pdf)