- Products
- Learn
- Local User Groups
- Partners
- More
What's New in R82.10?
Watch HereWhen the Agents Attack
A Live Look at Agentic Exposure Validation
AI Security Masters E8:
Claude Mythos: New Era in Cyber Security
CheckMates Go:
CheckMates Fest
We are migrating our networks to Checkpoint and have about 60 VLANs where various devices ask the default GW for NTP. Ths wasn't a problem before, but since checkpoint can't work as an NTP server I thought we could just redirect the traffic to the def GW to our NTP server.
This was harder than expected though. ![]()
I don't have any experience with NAT on checkpoint since we don't use it on this site, but it sounded simple in my head. I don't really understand how it's supposed to be done in checkpoint though.
I tried:
NAT, Original: (src: <VLAN> dst:<def GW> service:NTP ) Translated: ( dst:<NTP server>, rest original)
and FW Policy allowing NTP traffic to def GW.
The VLAN itself is already allowed to communicate with the NTP server in an earlier policy, since on some devices in the VLAN it is easy to fix the NTP settings.
But the traffic is still dropped. Do i need to add a host-object with NAT checked and the translated address for every VLAN as well?
Or isn't this possible at all?
From mine point of view the proper way is to use new group (all networks in requested VLANs) and dst fw_node/fw_cluster object. Also check if rule which allowing ntp to fw is above stealth rule.
What types of objects you used in "src: <VLAN>" (group/network...) and "dst:<def GW>" (host/fw_cluster/fw_node)?
the VLAN:s are network objects. I made a new host-object with the default-GW address.
There is an unsupported way to get the Check Point GAIA software to runn as a NTP server:
vi the /etc/ntp.conf file and add the following line per network you want to allow to get NTP from the gateway:
restrict 10.0.0.0 mask 255.0.0.0 nomodify
Above is allowing any 10.x.x.x client to get NTP from the gateway.
we run R80.10 and as I understood it, this won't work anymore? the ntp.conf is automatically generated, but maybe it won't get overwritten unless you change the ntp settings?
since it's a normal linux system as base, it would be possible to use ntpd for our networks. But there was an SK about this being prevented.
From mine point of view the proper way is to use new group (all networks in requested VLANs) and dst fw_node/fw_cluster object. Also check if rule which allowing ntp to fw is above stealth rule.
hmm, I can't use the FW cluster in the NAT rule. Can't install the policy when I try to do that. That's why i made a host-object for the default GW.
But I forgot about the stealth rules. I can move the access policy and see if it makes a difference.
that was it, the stealth rule. Didn't think about it since all the drops were registered with CPEarlyDrop. It worked to make a NAT redirect as I thought then. ![]()
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count |
|---|---|
| 66 | |
| 22 | |
| 7 | |
| 6 | |
| 5 | |
| 4 | |
| 4 | |
| 3 | |
| 2 | |
| 2 |
Thu 09 Jul 2026 @ 10:00 AM (CEST)
Schutz souveräner Workloads: Check Point & die AWS European Sovereign CloudThu 09 Jul 2026 @ 11:00 AM (CEST)
The Cloud Architects Series: Check Point Edge Protection SD-WAN & SASEThu 09 Jul 2026 @ 11:00 AM (EDT)
Tips and Tricks 2026 #9 - What's New with Check Point Email SecurityFri 10 Jul 2026 @ 11:00 AM (IDT)
CheckMates Live Netherlands - Sessie 48: Nieuwe Check Point Workspace SecurityTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 09 Jul 2026 @ 11:00 AM (EDT)
Tips and Tricks 2026 #9 - What's New with Check Point Email SecurityFri 10 Jul 2026 @ 11:00 AM (IDT)
CheckMates Live Netherlands - Sessie 48: Nieuwe Check Point Workspace SecurityTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY