This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Usman_Shaikh
Contributor
‎2018-10-07 02:08 PM

Domain objects in NAT policy

Hi Experts

 

We current have a manual hide NAT in place for our internet traffic that translates our internal addresses to a publicly routable address on the external interface (call it eth1) of the firewall when accessing ALL Non-RFC addresses

 We now have a requirement to set up NAT for Azure Microsoft peering that uses a different outgoing interface (eth2) on the same firewall that is on a different public subnet(Routing is already setup using BGP for MS prefixes to go out via eth2)

Since the destination is this case is dynamic Microsoft domains only, I was thinking along the lines of using Domain objects in order to avoid creating (and then manage) individual network objects that represent Microsoft IP prefixes.. However domain objects can only be used in access policy rules and not in NAT rules; therefore I am looking for best possible way to achieve this 

(Additionally I would like to use a pool of translated addresses and not having to use just the interface address due to limittion of 65k sessions)

Deployment: VSX on R80.10

Desired rulebase

RuleOriginal SourceOriginal Destination

Translated Source

(Example only)

Trasnlated Destination
Internet-AccessInternal-NetworksAny

1.1.1.1

(IP on eth1 subnet)

Original
Azure-AccessInternal-Networks<Microsoft Domains>

2.2.2.1 - 2.2.2.10

(IP range on eth2 subnet)

Original
0 Kudos
3 Replies
AlekseiShelepov
Advisor
‎2018-10-07 02:32 PM

I think you need just to configure automatic NAT to use hide behind gateway setting instead of both manual NAT rules.

0 Kudos
Usman_Shaikh
Contributor
‎2018-10-07 02:51 PM
In response to AlekseiShelepov

Thanks for the reply..

Since manual NAT is checked first, this would always be matched... Also I would like to use range of addresses instead of one

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2018-10-08 12:16 AM

If you are in position to upgrade to R80.20 then maybe you could use the new updateable objects, they have Azure as option

Updatable Objects in R80.20 

I haven't played with them yet and don't know if they would work in NAT.

Else dynamic objects should do the trick, you just need to script Azure IP updates Smiley Happy

Configuring Dynamic Objects 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events