This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
B_P
Advisor
‎2021-08-27 11:34 AM

Automatic NAT causing issues with Mgmt's LAN to LAN traffic

It appears that the Management NAT setting to enable the "Apply for Security Gateway control connections" causes any connection from Management to other networks attached to the local gateway GW-A to be NAT'd. This causes problems with services like RADIUS for Management authentication as the connection is made from the local gateway's public IP instead of what it should be -- not NAT'd at all.

This cannot be overridden because it's an implied rule and precedes my no-NAT rules. Without the built-in NAT config, specifically the "Apply for Security Gateway control connections", the public IP gateways cannot function properly. In sk66381 there is a set security-management command that seems to be exactly what I need, but only works on embedded systems? So my question is there a way to accomplish the custom setup like how the set security-management command does but in regular Gaia?

MgmtNATIssue.png

Labels
0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2021-08-30 01:08 AM

A static (not HIDE) NAT is required so the gateway can initiate the relevant communication to the management server (e.g. for logging and policy fetch).
That is shown in the screenshot in sk66381.
I would assume you could then configure the RADIUS server to accept connections from the NAT IP?

The equivalent to set security-management on an SMB gateway is editing the file $FWDIR/conf/masters.
However, this file is now overwritten on policy install per: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 
You can modify this file and change the immutable flag so it doesn't get overwritten, though I haven't seen anyone do that in quite a while.

B_P
Advisor
‎2021-09-13 08:03 AM
In response to PhoneBoy

Does the masters file work with standard R80.40 gateways? I can't seem to get it to work. The gateway also ignores its host file if you try to set an IP for Management (i.e. public IP) that differs from the object's IP in Management.

Also do you know of any documentation on how the masters file is supposed to work and other NAT & Firewall config to manually setup Management to work through NAT besides using the NAT setup under the Management object.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-09-13 09:35 AM
In response to B_P

masters file has existed since the very earliest days of the product.
The reason there is no current documentation on this file is that we effectively manage the contents of this via other means (e.g. with NAT on the management object) and modifying this file directly is no longer the recommended approach. 
It seems to me making it so your RADIUS server accepts traffic from the relevant IP versus manually hacking this file would lead to less potential issues down the road. 
Or try adding a manual “no NAT” rule to the relevant gateway to ensure traffic to the RADIUS server isn’t subject to NAT.
Believe this can be applied before the automatic NAT rules.

B_P
Advisor
‎2021-09-13 10:15 AM
In response to PhoneBoy

@PhoneBoy wrote:

Believe this can be applied before the automatic NAT rules.

Indeed and that fixed the RADIUS issue. Thx

@PhoneBoy wrote:

modifying this file directly is no longer the recommended approach

Yeah, I can image knowing Check Point. Do you know or are you able to find out what the "Apply for Security Gateway control connections" check box is doing behind the scenes so I can manually configure it on the remote gateway without tripping up all the other gateways?

*Edit: another note, it would appear checking that checkbox creates a single point of failure for Management as all gateways now communicate through that single firewall via NAT to get to Management instead of going direct.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events