Support for Datacenter Objects in NAT Policy and N...

Adrian_Dittmann · ‎2019-10-15

Hello guys,

i hope i chose the right forum.

We have connected a Cisco ACI to a R80.20 Management System and are using dynamic Datacenter Objects in the Firewall Policy.

sk128612 says that Data Center Objects are not supported in NAT Policy and Network Groups.

This considerably limits the function of the ACI for us.

Will this "known limitation" fixed in the future or is it not possbile from the technical point of view?

I am looking forward to your answers!

Best regards,

Adrian

PhoneBoy · ‎2019-10-17

You can't mix datacenter and regular objects in the same rule cell.
Groups would allow this configuration.

As for NAT, rules require contiguous address ranges within the Source/Destination field.
Datacenter objects may not follow these conventions.
It would help to understand the use case for NAT in your case.

Adrian_Dittmann · ‎2019-10-21

Hi PhoneBoy,

thank you very much for your reply.

We operate the gateway with multiple VSX Systems as an Internet firewall for the customer.

The basic idea was to use centrally managed ACI data center objects, as we will have a change volume of about 500 changes per month in the future.
The advantage we hoped to get from the ACI in this case is not given, because we have to create a group and the host objects for each EPG that should do for example Hide NAT.

We can use the datacenter objects in the rule base, but not in the NAT rules. This means a lot more work for us in our day-to-day business.

I have attached a screenshot of a typical Data Center Object from the ACI, which should be used for NAT.

Regards,

Adrian

PhoneBoy · ‎2019-10-21

If all the hosts are in the same subnet(s), why not just NAT the subnet(s)?
The regular Access Policy will ultimately control whether or not the hosts can go outbound, the NAT policy is applied afterwords.

Gil_Sudai · ‎2019-10-22

Hi. In the coming R80.40 it is possible to use Data Center objects and Network objects in the same cell in the Access (FW) policy. We also support network group with Data Center objects and Network objects (hybrid group).

Adrian_Dittmann · ‎2019-10-24

Hi PhoneBoy,

sounds easier than it is.

This was only an example group, but not every EPG contains all hosts in the same subnet.

The ACI is managed externally and contains about 15000 EPG objects.

We will receive change request from the customer directly to implement FW rules and NAT rules with the EPG objects.

If we need to manually create each EPG object as a network group on the Check Point when it is to be used in a NAT rule and have to maintain this manually with each change on the ACI, we will have a lot of overhead.

Especially when receiving about 400 change requests a month, once the customer is productive.

I can totally understand your technical point of view, that the Access Policy will be applied before the NAT Rules and will regulate all the traffic going outbound. But we are here located in germany and the customer also, and this is all laid down in contracts, that each Access rule and also NAT rule is as precise as possible.

I hope you can understand now, which problem I am facing.

Regards

Adrian

PhoneBoy · ‎2019-10-25

You might see if there is an underlying Dynamic Object associated with your datacenter objects by using the command (on the gateway) dynamic_objects -uo_show.
If that's the case, you'll be able to create a Dynamic Object of the same name in SmartConsole and use that in the NAT policy.

Support for Datacenter Objects in NAT Policy and Network Groups

Re: Support for Datacenter Objects in NAT Policy and Network Groups

Re: Support for Datacenter Objects in NAT Policy and Network Groups

Re: Support for Datacenter Objects in NAT Policy and Network Groups

Re: Support for Datacenter Objects in NAT Policy and Network Groups

Re: Support for Datacenter Objects in NAT Policy and Network Groups

Re: Support for Datacenter Objects in NAT Policy and Network Groups