This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
m4_prashanth
Participant
‎2021-05-01 10:30 PM
Jump to solution

NAT Rule Number 0 R77.30

Hi there,

   We have recently updated our NTP server IP address and on one of the CP Cluster noticed that NTP sync is not happening. While I was checking the logs, the specific NTP traffic is hitting a NAT rule number 0. But on the cluster there is no Hide behind gateway option is not configured. Also I checked the firewall object and NAT is not enabled. What are the other possibilities that result in this behaviour?

I can see the UUID of the NAT rule. With the help of that can I trace the NAT rule in smart dashboard?

 

Thank You in Advance 

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2021-05-01 11:59 PM
Jump to solution

What is the precise source of the NTP traffic?
If it’s from one of the cluster members, traffic is always hidden behind the cluster IP by default unless disabled by: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...,

But like my colleague suggests, R77.30 has been End of Support for a while now and you should upgrade to a supported release.

View solution in original post

0 Kudos
5 Replies
Tal_Paz-Fridman
Employee
Employee
‎2021-05-01 10:45 PM
Jump to solution

It might be possible to search using the UID but I would recommend is upgrading from R77.30 to R80.40 or R81.

Searching using UID in NAT is possible in current versions.

We stopped supporting R77.30 in September 2019:

https://www.checkpoint.com/support-services/support-life-cycle-policy/#software-support

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-05-01 11:59 PM
Jump to solution

What is the precise source of the NTP traffic?
If it’s from one of the cluster members, traffic is always hidden behind the cluster IP by default unless disabled by: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...,

But like my colleague suggests, R77.30 has been End of Support for a while now and you should upgrade to a supported release.

0 Kudos
m4_prashanth
Participant
‎2021-06-04 05:47 AM
In response to PhoneBoy
Jump to solution

Thank you very much for the KB. Actually the traffic was getting NAT to the cluster vip and after allowing the cluster VIP for NTP, firewall was able to sync with NTP server.

 

I have couple of questions:

Though the traffic getting NAT to cluster VIP when I run the tcpdump utility on the gateway I still see the physical ip of the interface ip trying to connect to the NTP server. Is there any other options available to capture the traffic from the egress interface to confirm the source ip?

Further I have noticed though perform_cluster_hide_fold option was enabled for R80.20 cluster similar to R77.20, on the NTP server I’m receiving the traffic on the physical interface ip rather than cluster VIP. Is there any other options that will override the NAT.

Thanks in advance 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-06-04 03:32 PM
In response to m4_prashanth
Jump to solution

fw monitor should show the traffic at each stage of the firewall chain.
You should be able to see if it is actually natting the traffic appropriately.

m4_prashanth
Participant
‎2021-06-04 05:11 PM
In response to PhoneBoy
Jump to solution

Thank you very much 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top