This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Adrian_Dittmann
Participant
Participant
‎2019-10-15 08:24 AM

Support for Datacenter Objects in NAT Policy and Network Groups

Hello guys,

 

i hope i chose the right forum.

We have connected a Cisco ACI to a R80.20 Management System and are using dynamic Datacenter Objects in the Firewall Policy.

sk128612 says that Data Center Objects are not supported in NAT Policy and Network Groups.

This considerably limits the function of the ACI for us.

Will this "known limitation" fixed in the future or is it not possbile from the technical point of view?

 

I am looking forward to your answers!

Best regards,

Adrian

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2019-10-17 04:15 PM

You can't mix datacenter and regular objects in the same rule cell.
Groups would allow this configuration.

As for NAT, rules require contiguous address ranges within the Source/Destination field.
Datacenter objects may not follow these conventions.
It would help to understand the use case for NAT in your case.
0 Kudos
Adrian_Dittmann
Participant
Participant
‎2019-10-21 05:36 AM
In response to PhoneBoy

Hi PhoneBoy,

thank you very much for your reply.

We operate the gateway with multiple VSX Systems as an Internet firewall for the customer.

The basic idea was to use centrally managed ACI data center objects, as we will have a change volume of about 500 changes per month in the future.
The advantage we hoped to get from the ACI in this case is not given, because we have to create a group and the host objects for each EPG that should do for example Hide NAT.

We can use the datacenter objects in the rule base, but not in the NAT rules. This means a lot more work for us in our day-to-day business.

I have attached a screenshot of a typical Data Center Object from the ACI, which should be used for NAT.

 

Regards,

Adrian

Preview file
18 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2019-10-21 09:57 AM
In response to Adrian_Dittmann

If all the hosts are in the same subnet(s), why not just NAT the subnet(s)?
The regular Access Policy will ultimately control whether or not the hosts can go outbound, the NAT policy is applied afterwords.
Gil_Sudai
Employee
Employee
‎2019-10-22 12:26 AM
In response to PhoneBoy

Hi. In the coming R80.40 it is possible to use Data Center objects and Network objects in the same cell in the Access (FW) policy. We also support network group with Data Center objects and Network objects (hybrid group).

Adrian_Dittmann
Participant
Participant
‎2019-10-24 11:50 PM
In response to PhoneBoy

Hi PhoneBoy,

sounds easier than it is.

This was only an example group, but not every EPG contains all hosts in the same subnet.

The ACI is managed externally and contains about 15000 EPG objects.

We will receive change request from the customer directly to implement FW rules and NAT rules with the EPG objects.

If we need to manually create each EPG object as a network group on the Check Point when it is to be used in a NAT rule and have to maintain this manually with each change on the ACI, we will have a lot of overhead.

Especially when receiving about 400 change requests a month, once the customer is productive.

I can totally understand your technical point of view, that the Access Policy will be applied before the NAT Rules and will regulate all the traffic going outbound. But we are here located in germany and the customer also, and this is all laid down in contracts, that each Access rule and also NAT rule is as precise as possible.

I hope you can understand now, which problem I am facing.

Regards

Adrian

0 Kudos
PhoneBoy
Admin
Admin
‎2019-10-25 10:11 AM
In response to Adrian_Dittmann

You might see if there is an underlying Dynamic Object associated with your datacenter objects by using the command (on the gateway) dynamic_objects -uo_show.
If that's the case, you'll be able to create a Dynamic Object of the same name in SmartConsole and use that in the NAT policy.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events