Solved: Re: ISP Redundacy Load Sharing - NAT

Campinho · ‎2025-08-06

Hello,

I am configuring a Check Point firewall with two internet links in Load Sharing mode using ISP Redundancy. The NAT is set up on the internal network objects using the "Hide Behind Gateway"

I have the following questions:

How does NAT function in Load Sharing mode?
- Does the firewall apply Hide NAT based on the active ISP interface for each connection?
- Are static NAT rules ignored in this mode?
Is it possible to use a SNAT Pool with ISP Redundancy in Load Sharing mode?
- Can I configure a pool of public IPs for outgoing connections, ensuring that traffic is NATed to the appropriate public IP based on the active ISP link?

_Val_ · ‎2025-08-11

This is what AI Copilot has to say for the matter:

Here are detailed answers to your questions about NAT and ISP Redundancy in Load Sharing mode on Check Point firewalls:

1. How does NAT function in Load Sharing mode?

Hide NAT: When using ISP Redundancy in Load Sharing mode, outgoing traffic is distributed between the ISP links according to the configured weights. Hide NAT is typically set to "Hide behind Gateway," which means the source address of outgoing packets is translated to the address of the interface through which the packet leaves the Security Gateway.
This ensures that return packets are routed back through the correct ISP link, as the NATed source matches the egress interface.

2. Does the firewall apply Hide NAT based on the active ISP interface for each connection?

Yes. The firewall applies Hide NAT based on the interface used for each connection. Each outgoing connection is NATed to the IP address of the interface it uses to exit the gateway. This is essential for correct routing of return traffic.

3. Are static NAT rules ignored in this mode?

No, static NAT rules are not ignored. Static NAT is still supported and required for incoming connections (e.g., for servers accessible from the Internet). For each server, you typically assign a public IP from each ISP and configure static NAT rules accordingly.
For outgoing connections, Hide NAT is most commonly used, but static NAT can be applied if specifically configured.

4. Is it possible to use a SNAT Pool with ISP Redundancy in Load Sharing mode?

Not natively in the same way as some other vendors. By default, Check Point's "Hide behind Gateway" will use the interface IP for NAT. However, you can achieve a similar effect (using a pool of public IPs) by using manual NAT rules and dynamic objects, but this requires advanced configuration and scripting.
See SK174197 for an example of using dynamic objects and scripts to switch Hide NAT pools during failover (primarily documented for Primary/Backup mode, but similar logic can be adapted).

5. Can I configure a pool of public IPs for outgoing connections, ensuring that traffic is NATed to the appropriate public IP based on the active ISP link?

By default, no. Outgoing connections are NATed to the interface IP of the egress ISP link.
Workaround: You can manually configure NAT rules to use specific public IPs (from a pool) for different internal networks or hosts. This can be done using manual NAT rules and dynamic objects, but it is not as seamless as "SNAT Pool" features in some other firewalls.
For advanced scenarios (e.g., using a pool of IPs per ISP and switching them during failover), you would need to use custom scripts and dynamic objects as described in SK174197.

References & Best Practices

For most deployments, "Hide behind Gateway" is sufficient and recommended for outgoing traffic.
For incoming connections, assign a public IP per ISP and configure static NAT.
For advanced NAT pool requirements, consult the following:
- SK174197: How to configure Hide NAT for different IP Address Ranges to work with ISP Redundancy in the Primary/Backup mode
- SK34812: ISP Redundancy configuration

Summary Table

Scenario	Supported?	Notes
Hide NAT per ISP	Yes	NATs to interface IP of egress ISP
Static NAT in Load Sharing	Yes	Required for incoming connections
SNAT Pool (native)	No	Workarounds possible with manual NAT and dynamic objects
Pool of public IPs per ISP	Possible (manual)	Requires advanced configuration and scripting (see SK174197)

If you need step-by-step guidance for a specific advanced NAT pool scenario, let me know your exact requirements and I can provide more detailed instructions!

Learn more:

View solution in original post

the_rock · ‎2025-08-18

You got it, makes total sense.

Andy

Best,
Andy
"Have a great day and if its not, change it"

View solution in original post

_Val_ · ‎2025-08-11

This is what AI Copilot has to say for the matter:

Here are detailed answers to your questions about NAT and ISP Redundancy in Load Sharing mode on Check Point firewalls:

1. How does NAT function in Load Sharing mode?

Hide NAT: When using ISP Redundancy in Load Sharing mode, outgoing traffic is distributed between the ISP links according to the configured weights. Hide NAT is typically set to "Hide behind Gateway," which means the source address of outgoing packets is translated to the address of the interface through which the packet leaves the Security Gateway.
This ensures that return packets are routed back through the correct ISP link, as the NATed source matches the egress interface.

2. Does the firewall apply Hide NAT based on the active ISP interface for each connection?

Yes. The firewall applies Hide NAT based on the interface used for each connection. Each outgoing connection is NATed to the IP address of the interface it uses to exit the gateway. This is essential for correct routing of return traffic.

3. Are static NAT rules ignored in this mode?

No, static NAT rules are not ignored. Static NAT is still supported and required for incoming connections (e.g., for servers accessible from the Internet). For each server, you typically assign a public IP from each ISP and configure static NAT rules accordingly.
For outgoing connections, Hide NAT is most commonly used, but static NAT can be applied if specifically configured.

4. Is it possible to use a SNAT Pool with ISP Redundancy in Load Sharing mode?

Not natively in the same way as some other vendors. By default, Check Point's "Hide behind Gateway" will use the interface IP for NAT. However, you can achieve a similar effect (using a pool of public IPs) by using manual NAT rules and dynamic objects, but this requires advanced configuration and scripting.
See SK174197 for an example of using dynamic objects and scripts to switch Hide NAT pools during failover (primarily documented for Primary/Backup mode, but similar logic can be adapted).

5. Can I configure a pool of public IPs for outgoing connections, ensuring that traffic is NATed to the appropriate public IP based on the active ISP link?

By default, no. Outgoing connections are NATed to the interface IP of the egress ISP link.
Workaround: You can manually configure NAT rules to use specific public IPs (from a pool) for different internal networks or hosts. This can be done using manual NAT rules and dynamic objects, but it is not as seamless as "SNAT Pool" features in some other firewalls.
For advanced scenarios (e.g., using a pool of IPs per ISP and switching them during failover), you would need to use custom scripts and dynamic objects as described in SK174197.

References & Best Practices

For most deployments, "Hide behind Gateway" is sufficient and recommended for outgoing traffic.
For incoming connections, assign a public IP per ISP and configure static NAT.
For advanced NAT pool requirements, consult the following:
- SK174197: How to configure Hide NAT for different IP Address Ranges to work with ISP Redundancy in the Primary/Backup mode
- SK34812: ISP Redundancy configuration

Summary Table

Scenario	Supported?	Notes
Hide NAT per ISP	Yes	NATs to interface IP of egress ISP
Static NAT in Load Sharing	Yes	Required for incoming connections
SNAT Pool (native)	No	Workarounds possible with manual NAT and dynamic objects
Pool of public IPs per ISP	Possible (manual)	Requires advanced configuration and scripting (see SK174197)

If you need step-by-step guidance for a specific advanced NAT pool scenario, let me know your exact requirements and I can provide more detailed instructions!

Learn more:

_Val_ · ‎2025-08-11

On top, I would also add sk42636 and all other SKs referenced there.

Campinho · ‎2025-08-18

Thank You @_Val_ !

I guess the best way is to implement SD-WAN in this case.

My customer has too many diferent rules with DIfferent Source IPs and wants to use both ISP links.

the_rock · ‎2025-08-18

You got it, makes total sense.

Andy

Best,
Andy
"Have a great day and if its not, change it"

AmirArama · ‎2025-09-09

With Quantum SD-WAN You can achieve all that in a much simpler way including using SNAT pool per ISP with load sharing per traffic (user/src/dst/updatable obj, application, etc)
Also Quantum SD-WAN will still accelerate those connections, in oppose to ISP Redundancy Load sharing that uses slow path AFAIK.

Are you a member of CheckMates?

ISP Redundacy Load Sharing - NAT

1. How does NAT function in Load Sharing mode?

2. Does the firewall apply Hide NAT based on the active ISP interface for each connection?

3. Are static NAT rules ignored in this mode?

4. Is it possible to use a SNAT Pool with ISP Redundancy in Load Sharing mode?

5. Can I configure a pool of public IPs for outgoing connections, ensuring that traffic is NATed to the appropriate public IP based on the active ISP link?

References & Best Practices

1. How does NAT function in Load Sharing mode?

2. Does the firewall apply Hide NAT based on the active ISP interface for each connection?

3. Are static NAT rules ignored in this mode?

4. Is it possible to use a SNAT Pool with ISP Redundancy in Load Sharing mode?

5. Can I configure a pool of public IPs for outgoing connections, ensuring that traffic is NATed to the appropriate public IP based on the active ISP link?

References & Best Practices