This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AaronCP
Advisor
‎2021-07-27 12:35 AM

Additional NAT rule 0

Good morning,

 

I have a manual static NAT rule configured in our rulebase:

 

Original Source: x.x.x.x - Original Destination: y.y.y.y - Original Service: any - Translate Source: Original - Translate Destination: z.z.z.z - Translate Service: original

 

The NAT rule itself works fine. In the logs, I can see the traffic is hitting the correct NAT rule (NAT rule 10, for example), but I can also see "NAT Additional Rule Number 0" in the logs. Initial research suggests that this is related to bi-directional NAT (which is enabled in Global Properties), but I thought this was only applied to automatic rules? Not manual? This is happening on the majority of our NAT rules, most of which are manual.

 

R80.40, take 118.

 

Can someone help clarify this, please?

 

Thanks.

 

0 Kudos
3 Replies
Timothy_Hall
Legend Legend
Legend
‎2021-07-27 10:29 AM

I'm a bit hazy on this but NAT rule 0 applies in the following situations I can think of:

1) NAT "Hide Internal networks behind gateway's external IP" is set on the gateway/cluster object (not default setting)

2) Certain traffic to and from cluster member themselves, including control traffic

3) Traffic matching the implied Firewall policy rules (Actions...Display Implied Rules) from Security Policies tab in SmartConsole

4) Possibly lack of inspection/handling due to Wire Mode

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
net-harry
Collaborator
‎2021-09-23 05:57 AM
In response to Timothy_Hall

Hi,

I have a related question regarding NAT Additional Rule Number.

We have a NAT rule that translated various internal subnets to a hide-NAT address.

The logs that hits this NAT rule correctly shows the NAT rule number (NAT rule #8 in our case), but it also shows a "NAT Additional Rule Number". For most entries it is 1, but for some entries it is 0.

Could someone explain what this means and the reason this is happening?

Please note that:

  • NAT rule #1 does not at all match the traffic for the log entries with this behavior
  • We do not have "Hide Internal networks behind gateway's external IP" enabled on the gateways
  • We do not have "Allow bi-directional NAT" enabled in the global properties
  • This is traffic from inside subnets, not addresses on the firewalls themselves


We are running R80.40 on the MDS servers and R80.20 on the security gateways.

Thanks for your help!

Harry

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2021-09-24 05:31 AM
In response to net-harry

Normally the NAT additional rule number should be blank unless two automatic rules were matched (one for source and one for destination), but according to sk144192:

When matching 2 automatic rules, second rule match will be shown otherwise NAT Additional Rule field will be 0.

So that explains the NAT additional rule being 0 when matching only one automatic rule.  If a manual NAT rule is matched, only that one rule can be matched and the NAT additional rule should always be blank (or maybe 0).  Not sure why the field would show 1, perhaps it is trying to indicate that only one NAT rule (a manual one) is matched?  There were some changes to NAT made in R80.40 involving GNAT & exhaustion pools and such, perhaps this behavior change in the logs is related to that?

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events