This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Johan_Rudberg
Contributor
‎2019-10-22 12:45 AM
Jump to solution

NAT problem

Hello

 

A week or so ago we changed an ip address on one of our interfaces from 10.157.1.10 to 10.184.0.2 we also changed the NAT rules that was configured to the old ip address. 

But now still the firewall sends packets with the old ip of 10.157.1.10 and 12 even when those addreses are unconfigured.

Running R80.20 with HFA 103

 

//Johan

 

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
MVP Gold
MVP Gold
‎2019-10-22 06:42 AM
Jump to solution

Please provide a log screenshot of accepted traffic still being NATted to the old address, the log card will show the NAT rules involved.  Keep in mind that after changing a NAT address only new connections will start using it, old connections will continue using the old NAT address until they end.  Are sure you are launching NEW connections for testing and not still riding on old ones?

 

New Book: "Max Power 2026" Coming Soon
Check Point Firewall Performance Optimization

View solution in original post

8 Replies
Maarten_Sjouw
Champion
Champion
‎2019-10-22 01:29 AM
Jump to solution

Is this part of a cluster? Did you change the IP's in clish and in SmartConsole?
Regards, Maarten
0 Kudos
Johan_Rudberg
Contributor
‎2019-10-22 01:31 AM
In response to Maarten_Sjouw
Jump to solution

Yes its a VSX cluster with two physical GWs and two VSes, the change was made in SmartConsole.

//Johan

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-10-22 01:42 AM
In response to Johan_Rudberg
Jump to solution

So you changed the IP in the VS object, did you also push the policy? Both VS and VSX cluster would be best to push, normally only the VS policy needs to be pushed, but it wont hurt to also push the Cluster itself as well.
Regards, Maarten
0 Kudos
Johan_Rudberg
Contributor
‎2019-10-22 02:02 AM
In response to Maarten_Sjouw
Jump to solution

Yes we have pushed VS policy several times and the cluster policy once now, but still the old ip address is used.

 

//Johan

0 Kudos
_Val_
Admin
Admin
‎2019-10-22 02:20 AM
In response to Johan_Rudberg
Jump to solution

Any chance you have proxy arp in place?

 

 

0 Kudos
Johan_Rudberg
Contributor
‎2019-10-22 03:14 AM
In response to _Val_
Jump to solution

Yes the automatic default Proxy ARP is enabled and the Merge Manual setting too, however in the local.arp file there is only one entry with the new ip address in it.

 

//Johan

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2019-10-22 06:42 AM
Jump to solution

Please provide a log screenshot of accepted traffic still being NATted to the old address, the log card will show the NAT rules involved.  Keep in mind that after changing a NAT address only new connections will start using it, old connections will continue using the old NAT address until they end.  Are sure you are launching NEW connections for testing and not still riding on old ones?

 

New Book: "Max Power 2026" Coming Soon
Check Point Firewall Performance Optimization
Johan_Rudberg
Contributor
‎2019-10-22 07:24 AM
In response to Timothy_Hall
Jump to solution

Thank you we look into that!

//Johan
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events