Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
LostBoY
Advisor

NAT Priority In Checkpoint R80.40

I have a Checkpoint Geo-Cluster in Active-Active Mode in AWS.. i need to setup outbound NAT for a webserver..WAN IP/Elastic IP of that server will be whitelisted at the remote site.

The issue here is i dont want to use NAT (hide behind Gateway) for outbound communication as in that case i have to share external ip of my GW.. i created a secondary IP in AWS for this Gateway and mapped an elastic ip with it..is there any way i can make Checkpoint take the secondary elastic IP while using hide behind Gateway NAT ? hide behind IP wont work here as its an Active-Active Cluster where one member handles traffic at a time..if i use hide behind ip ..outbound communication will fail if traffic switches to secondary device.

Pls advice..

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

You could try to use a Dynamic Object here, which is a sort of placeholder object.
This would go in the translated source of a manual NAT rule.
You would use the dynamic_objects CLI command on each gateway to set it to the correct value.

0 Kudos
LostBoY
Advisor

thanks for the reply.. i referred an article on Dynamic Objects which states to create Dynamic Objects and then define values by clicking on the Gateways and going in Dynamic Object section.. however, i cudnt find dynamic object tab when i double click on GWs.. i m using R80.40 Cluster.

Is this limited to other version ?

0 Kudos
PhoneBoy
Admin
Admin

Dynamic Objects have existed for quite some time.
You create them here:

image.png

Think of it as a "placeholder" object you can use with the actual definition defined on the security gateway itself via the CLI. 
More details here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

0 Kudos
LostBoY
Advisor

Ok .. so i think i need to enable smartprovisioning before using Dynamic Objects.. is it a licensed feature ? license is required for Mgmt Server and all GWs it manages ?

0 Kudos
PhoneBoy
Admin
Admin

SmartProvisioning generally requires a license.
However, they are not required for the use of Dynamic Objects.

0 Kudos
LostBoY
Advisor

Ok.. but how do i setup dynamic objects without smartprovisioning ?  i am able to create dynamic objects fro mSmartconsole but i cudnt get to assigning values to created DO

0 Kudos
PhoneBoy
Admin
Admin

The configuration for the values of the Dynamic Objects is done via the CLI as described in the SK I linked to.

0 Kudos