This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Campinho
Explorer
‎2025-08-06 06:37 AM
Jump to solution

ISP Redundacy Load Sharing - NAT

Hello,

I am configuring a Check Point firewall with two internet links in Load Sharing mode using ISP Redundancy. The NAT is set up on the internal network objects using the "Hide Behind Gateway"

I have the following questions:

  1. How does NAT function in Load Sharing mode?

    • Does the firewall apply Hide NAT based on the active ISP interface for each connection?

    • Are static NAT rules ignored in this mode?

  2. Is it possible to use a SNAT Pool with ISP Redundancy in Load Sharing mode?

    • Can I configure a pool of public IPs for outgoing connections, ensuring that traffic is NATed to the appropriate public IP based on the active ISP link?

0 Kudos
2 Solutions

Accepted Solutions
_Val_
Admin
Admin
‎2025-08-11 12:39 AM
Jump to solution

This is what AI Copilot has to say for the matter:

Here are detailed answers to your questions about NAT and ISP Redundancy in Load Sharing mode on Check Point firewalls:

1. How does NAT function in Load Sharing mode?

  • Hide NAT: When using ISP Redundancy in Load Sharing mode, outgoing traffic is distributed between the ISP links according to the configured weights. Hide NAT is typically set to "Hide behind Gateway," which means the source address of outgoing packets is translated to the address of the interface through which the packet leaves the Security Gateway.
  • This ensures that return packets are routed back through the correct ISP link, as the NATed source matches the egress interface.

2. Does the firewall apply Hide NAT based on the active ISP interface for each connection?

  • Yes. The firewall applies Hide NAT based on the interface used for each connection. Each outgoing connection is NATed to the IP address of the interface it uses to exit the gateway. This is essential for correct routing of return traffic.

3. Are static NAT rules ignored in this mode?

  • No, static NAT rules are not ignored. Static NAT is still supported and required for incoming connections (e.g., for servers accessible from the Internet). For each server, you typically assign a public IP from each ISP and configure static NAT rules accordingly.
  • For outgoing connections, Hide NAT is most commonly used, but static NAT can be applied if specifically configured.

4. Is it possible to use a SNAT Pool with ISP Redundancy in Load Sharing mode?

  • Not natively in the same way as some other vendors. By default, Check Point's "Hide behind Gateway" will use the interface IP for NAT. However, you can achieve a similar effect (using a pool of public IPs) by using manual NAT rules and dynamic objects, but this requires advanced configuration and scripting.
  • See SK174197 for an example of using dynamic objects and scripts to switch Hide NAT pools during failover (primarily documented for Primary/Backup mode, but similar logic can be adapted).

5. Can I configure a pool of public IPs for outgoing connections, ensuring that traffic is NATed to the appropriate public IP based on the active ISP link?

  • By default, no. Outgoing connections are NATed to the interface IP of the egress ISP link.
  • Workaround: You can manually configure NAT rules to use specific public IPs (from a pool) for different internal networks or hosts. This can be done using manual NAT rules and dynamic objects, but it is not as seamless as "SNAT Pool" features in some other firewalls.
  • For advanced scenarios (e.g., using a pool of IPs per ISP and switching them during failover), you would need to use custom scripts and dynamic objects as described in SK174197.

References & Best Practices

  • For most deployments, "Hide behind Gateway" is sufficient and recommended for outgoing traffic.
  • For incoming connections, assign a public IP per ISP and configure static NAT.
  • For advanced NAT pool requirements, consult the following:
    • SK174197: How to configure Hide NAT for different IP Address Ranges to work with ISP Redundancy in the Primary/Backup mode
    • SK34812: ISP Redundancy configuration

Summary Table

Scenario Supported? Notes
Hide NAT per ISP Yes NATs to interface IP of egress ISP
Static NAT in Load Sharing Yes Required for incoming connections
SNAT Pool (native) No Workarounds possible with manual NAT and dynamic objects
Pool of public IPs per ISP Possible (manual) Requires advanced configuration and scripting (see SK174197)

If you need step-by-step guidance for a specific advanced NAT pool scenario, let me know your exact requirements and I can provide more detailed instructions!

Learn more:
  1. R80.40 Next Generation Security Gateway Administration Guide - ISP-Redundancy-on-Security-Gateway
  2. R80.20SP Quantum Maestro Next Generation Security Gateway Administration Guide - ISP-Redundancy-on-S...
  3. R81 Quantum Security Gateway Guide - ISP-Redundancy-on-Security-Gateway

View solution in original post

(1)
the_rock
MVP Diamond
MVP Diamond
‎2025-08-18 01:02 PM
In response to Campinho
Jump to solution

You got it, makes total sense.

Andy

Best,
Andy
"Have a great day and if its not, change it"

View solution in original post

(1)
5 Replies
_Val_
Admin
Admin
‎2025-08-11 12:39 AM
Jump to solution

This is what AI Copilot has to say for the matter:

Here are detailed answers to your questions about NAT and ISP Redundancy in Load Sharing mode on Check Point firewalls:

1. How does NAT function in Load Sharing mode?

  • Hide NAT: When using ISP Redundancy in Load Sharing mode, outgoing traffic is distributed between the ISP links according to the configured weights. Hide NAT is typically set to "Hide behind Gateway," which means the source address of outgoing packets is translated to the address of the interface through which the packet leaves the Security Gateway.
  • This ensures that return packets are routed back through the correct ISP link, as the NATed source matches the egress interface.

2. Does the firewall apply Hide NAT based on the active ISP interface for each connection?

  • Yes. The firewall applies Hide NAT based on the interface used for each connection. Each outgoing connection is NATed to the IP address of the interface it uses to exit the gateway. This is essential for correct routing of return traffic.

3. Are static NAT rules ignored in this mode?

  • No, static NAT rules are not ignored. Static NAT is still supported and required for incoming connections (e.g., for servers accessible from the Internet). For each server, you typically assign a public IP from each ISP and configure static NAT rules accordingly.
  • For outgoing connections, Hide NAT is most commonly used, but static NAT can be applied if specifically configured.

4. Is it possible to use a SNAT Pool with ISP Redundancy in Load Sharing mode?

  • Not natively in the same way as some other vendors. By default, Check Point's "Hide behind Gateway" will use the interface IP for NAT. However, you can achieve a similar effect (using a pool of public IPs) by using manual NAT rules and dynamic objects, but this requires advanced configuration and scripting.
  • See SK174197 for an example of using dynamic objects and scripts to switch Hide NAT pools during failover (primarily documented for Primary/Backup mode, but similar logic can be adapted).

5. Can I configure a pool of public IPs for outgoing connections, ensuring that traffic is NATed to the appropriate public IP based on the active ISP link?

  • By default, no. Outgoing connections are NATed to the interface IP of the egress ISP link.
  • Workaround: You can manually configure NAT rules to use specific public IPs (from a pool) for different internal networks or hosts. This can be done using manual NAT rules and dynamic objects, but it is not as seamless as "SNAT Pool" features in some other firewalls.
  • For advanced scenarios (e.g., using a pool of IPs per ISP and switching them during failover), you would need to use custom scripts and dynamic objects as described in SK174197.

References & Best Practices

  • For most deployments, "Hide behind Gateway" is sufficient and recommended for outgoing traffic.
  • For incoming connections, assign a public IP per ISP and configure static NAT.
  • For advanced NAT pool requirements, consult the following:
    • SK174197: How to configure Hide NAT for different IP Address Ranges to work with ISP Redundancy in the Primary/Backup mode
    • SK34812: ISP Redundancy configuration

Summary Table

Scenario Supported? Notes
Hide NAT per ISP Yes NATs to interface IP of egress ISP
Static NAT in Load Sharing Yes Required for incoming connections
SNAT Pool (native) No Workarounds possible with manual NAT and dynamic objects
Pool of public IPs per ISP Possible (manual) Requires advanced configuration and scripting (see SK174197)

If you need step-by-step guidance for a specific advanced NAT pool scenario, let me know your exact requirements and I can provide more detailed instructions!

Learn more:
  1. R80.40 Next Generation Security Gateway Administration Guide - ISP-Redundancy-on-Security-Gateway
  2. R80.20SP Quantum Maestro Next Generation Security Gateway Administration Guide - ISP-Redundancy-on-S...
  3. R81 Quantum Security Gateway Guide - ISP-Redundancy-on-Security-Gateway
(1)
_Val_
Admin
Admin
‎2025-08-11 12:40 AM
In response to _Val_
Jump to solution

On top, I would also add sk42636 and all other SKs referenced there.

(1)
Campinho
Explorer
‎2025-08-18 12:09 PM
In response to _Val_
Jump to solution

Thank You @_Val_ !

I guess the best way is to implement SD-WAN in this case.

My customer has too many diferent rules with DIfferent Source IPs and wants to use both ISP links.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-08-18 01:02 PM
In response to Campinho
Jump to solution

You got it, makes total sense.

Andy

Best,
Andy
"Have a great day and if its not, change it"
(1)
AmirArama
Employee
Employee
‎2025-09-09 09:27 AM
Jump to solution

With Quantum SD-WAN You can achieve all that in a much simpler way including using SNAT pool per ISP with load sharing per traffic (user/src/dst/updatable obj, application, etc)
Also Quantum SD-WAN will still accelerate those connections, in oppose to ISP Redundancy Load sharing that uses slow path AFAIK.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events