This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AkosBakos
MVP Silver
MVP Silver
‎2025-06-04 04:00 AM

dynamic SNAT

Hi team,

I got an interesting task what I need to deploy.

I need to create a contitional NAT rule:

  • If: "IP_A" is reacable, I have to use SNAT_A IP in the sourceNAT
  • If: "IP_A" is NOT reacable, I have to use SNAT_B IF in the sourceNAT 

This is not a trivilal ISP redundancy setup, don't mix it. Both traffic should use the same ETH interface when leaving the gateway.

I welcome all ideas.

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
7 Replies
Alex-
MVP Silver
MVP Silver
‎2025-06-04 06:28 AM

You could use a station which monitors IP A, and if not reachable, starts an automation using the Management API to change the NAT translated sourced in the NAT rule identified by UID. This change is reverted via another automation when IP A is reachable again.

AkosBakos
MVP Silver
MVP Silver
‎2025-06-04 06:33 AM
In response to Alex-

Hi Alex, 

Sounds great, but a policy install will be necessary, right? I will think about it.

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
Alex-
MVP Silver
MVP Silver
‎2025-06-04 08:51 AM
In response to AkosBakos

Yes it would require a policy install. Alternately, you could always have the default NAT rule above your backup NAT rule, so that in case of reachability change you disable or enable the generally used NAT rule. Different object manipulation, depends on your policy setup.

At least with the API, you have full audit of what happened when. Also it gives you verification options which could be trickier with a shenanigans-based approach.

CheckPointerXL
Advisor
Advisor
‎2025-06-04 02:53 PM
In response to Alex-

Instead, try to use zone into nat rules

the_rock
MVP Platinum
MVP Platinum
‎2025-06-04 03:59 PM
In response to CheckPointerXL

I agree with that 100% @CheckPointerXL 

Best,
Andy
JozkoMrkvicka
Authority
Authority
‎2025-06-04 12:25 PM

I second @Alex- 's idea, just couple of notes:

1. If firewall from which you want to check IP_A is managed from the same management, you can use management to connect to firewall over SIC (cprid_util). If return value of ping is 0, IP_A is reachable, otherwise not reachable.

2. Create both NAT rules manually and save both NAT rule UIDs. One of NAT rule will be always disabled, second NAT rule will be always enabled. Depending if IP_A is reachable or not, first NAT rule with already known UID will be disabled, second NAT rule with already known UID will be enabled and vice versa.

3. script will be run on management every XY minutes and do needed action once change is detected, including policy push.

Kind regards,
Jozko Mrkvicka
the_rock
MVP Platinum
MVP Platinum
‎2025-06-08 03:07 PM

Hey brother,

Were you able to figure this out?

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events