This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mahajem
Participant
‎2024-06-05 07:38 AM
Jump to solution

How to disable NAT from VIP to Gateway when trying to ping GW?

Hello, I need to ping from a monitoring server to our CP GW physical IP but when I checked the logs I found out that only the VIP is replying and NATed to the active GW member. When I try to ping the GW physical IP it does not work but pinging to standby members physical IP is working. Can anyone help me? Do I need to manipulate the table.def with no_hide_services_ports = { <0,1>}? Is it possible to do this change only for the monitoring servers IP address and why is standby IP not NATed?

It shows me XLATE Destination IP (IP from active GW member)

NAT Rule number 0

Dst Port 0

Src Port 0

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2024-06-06 07:31 AM
In response to Mahajem
Jump to solution

If the standby uses the VIP, the traffic would have to be communicated through the primary (which owns the VIP).

The SK I referred to modifies the behavior for all traffic on the specific gateway, whereas I believe the table.def modifications are more focused to specific types of traffic and apply to all gateways.
However, if you manage gateways of different versions, table.def changes need to be made multiple places.
They also need to be made again on an upgrade.

View solution in original post

4 Replies
PhoneBoy
Admin
Admin
‎2024-06-05 06:57 PM
Jump to solution

What version/JHF is the gateways?
Did you also check: https://support.checkpoint.com/results/sk/sk34180 

0 Kudos
Mahajem
Participant
‎2024-06-06 01:37 AM
In response to PhoneBoy
Jump to solution

R81 JHF T92, yes I also saw this sk but where are the difference between editing table.def and this workaround? And why does the standby not using the VIP?

0 Kudos
PhoneBoy
Admin
Admin
‎2024-06-06 07:31 AM
In response to Mahajem
Jump to solution

If the standby uses the VIP, the traffic would have to be communicated through the primary (which owns the VIP).

The SK I referred to modifies the behavior for all traffic on the specific gateway, whereas I believe the table.def modifications are more focused to specific types of traffic and apply to all gateways.
However, if you manage gateways of different versions, table.def changes need to be made multiple places.
They also need to be made again on an upgrade.

the_rock
MVP Platinum
MVP Platinum
‎2024-06-06 07:41 AM
Jump to solution

I also have a gut feeling sk Phoneboy gave is your best option, but you can verify with TAC if there might be better option.

Personally, I doubt it...

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events