This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Subhojit
Participant
‎2023-05-24 09:48 AM
Jump to solution

Auto Hide Nat Redundancy

Hi,

I want to make Nat Rule for redundancy ISP for out going traffic. I have 2 ISP and Objects are Statically nated with their respective IP from ISP.I want configure a fail over nat rule. Is it possible or any other solution will be help full.

* ISPs are terminated in a Cisco Wan Switch and Checkpoint is connected directly with Wan Switch. 

GW version 81.20

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-05-24 01:57 PM
Jump to solution

Is it a single ISP or the same ISP with two different NAT numbers?
If they are different ISPs, you should be able to accomplish this via ISP Redundancy.
See: https://support.checkpoint.com/results/sk/sk34812

Otherwise, you should use a Dynamic Object in your NAT rule instead (which is what ISP Redundancy ultimately does).
You'll need to write a script to update the contents of this Dynamic Object using the dynamic_objects CLI command on each gateway that uses this object.
However, this gives you flexibility as to how and when to "fail over" the NAT.

View solution in original post

(1)
8 Replies
PhoneBoy
Admin
Admin
‎2023-05-24 01:57 PM
Jump to solution

Is it a single ISP or the same ISP with two different NAT numbers?
If they are different ISPs, you should be able to accomplish this via ISP Redundancy.
See: https://support.checkpoint.com/results/sk/sk34812

Otherwise, you should use a Dynamic Object in your NAT rule instead (which is what ISP Redundancy ultimately does).
You'll need to write a script to update the contents of this Dynamic Object using the dynamic_objects CLI command on each gateway that uses this object.
However, this gives you flexibility as to how and when to "fail over" the NAT.

(1)
Subhojit
Participant
‎2023-05-24 08:34 PM
In response to PhoneBoy
Jump to solution

Thank you..

 

0 Kudos
Subhojit
Participant
‎2023-05-24 11:10 PM
In response to Subhojit
Jump to solution

If i configure two IP from different ISPs in a sigle dynamic object.Does NAT will failover to another IP automatically if one ISP fail ? 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-05-25 02:01 PM
In response to Subhojit
Jump to solution

Configuring more than one IP in a Dynamic Object used in this manner won't fail over.
The script you write will determine the failover conditions and what IP is used in what case.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-05-24 02:28 PM
Jump to solution

When you say make NAT rules for ISP redundancy, you mean create different nat rules based on what subnets would go out of which ISP link?

Or did I misunderstand that totally?

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
PhoneBoy
Admin
Admin
‎2023-05-24 02:31 PM
In response to the_rock
Jump to solution

In this case, you don't need two rules, you only need one...in terms of the Dynamic Object you've created.
The Dynamic Object will determine what the IP will ultimately be translated to.

(1)
the_rock
MVP Diamond
MVP Diamond
‎2023-05-24 02:41 PM
In response to PhoneBoy
Jump to solution

Never knew that was possible...would you mind attach a screenshot of what nat rule would look like in case like that?

Cheers,

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
PhoneBoy
Admin
Admin
‎2023-05-24 02:48 PM
In response to the_rock
Jump to solution

The "translated source" would contain the Dynamic Object you created.
It's otherwise like any other NAT rule. 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events