This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AaronCP
Advisor
‎2024-10-30 03:40 PM

Change to NAT behaviour - R81.20 T76

Hey all,

We recently upgraded our MDS to R81.20 T76. At first, all seemed OK, however we ran into a NAT problem when we began installing policy to some of our perimeter gateway environments. We noticed in the logs that DNS & proxy traffic originating from the gateway itself started to get NAT'd behind a public IP (hitting a generic hide NAT rule), where prior to T76 NAT was not being applied. The logs clearly showed that prior to the policy installation traffic was hitting the cluster No NAT rule (say NAT rule 10), and post installation traffic was hitting rule 50 - the generic Hide NAT.

For years now, we've use gateway No NAT rules in all of our policies so that any traffic originating from a cluster or SMO object (from any interface) would not be subject to NAT. The NAT rule would look like this:

Original Source: Cluster/SMO Object

Original Destination: Any

Services: Any

Translated Source: Original

Translated Destination: Original

Translated Service: Original

Note: some policies don't require an RFC1918 to RFC1918 No NAT as the traffic flows are predominantly outbound to the Internet.

It appeared there was a behaviour change when using cluster or SMO objects in NAT rules post-T76, and that if traffic was routing via the Mgmt interface, the No NAT rule would still work, but if traffic to the DNS/proxy servers was routing via an internal interface that belonged to that cluster/SMO object, the No NAT would no longer be applied. We overcome this challenge by manually defining no NAT rules for traffic originating from the cluster/SMO internal interface. This did not impact production traffic. It mainly impacted gateway traffic for IPS updates, etc.

Our Diamond Engineer confirmed a behaviour change was introduced in T76 to overcome a cluster hide NAT issue (I can't locate the PRJ/PRHF reference) where a cluster/SMO object was used in the Original Source in a Hide NAT rule. It looks like the use of a cluster/SMO object used in the Original Source of a No NAT rule also fell foul of this change.

I wondered if anyone else configured their cluster/SMO No NAT rules in this way, and if you've also experienced this issue?

0 Kudos
3 Replies
the_rock
Legend
Legend
‎2024-10-30 04:52 PM

I cant find any such related issues in release notes or fixed for jumbo 76. If you get the info from diamond engoineer, would be nice to know. I know 2 customers running this take and have not heard any issues at all after they installed it.

Andy

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2024-10-31 08:14 AM

We have a ticket with TAC about a NAT behaviour change open that occured after R81.10 HFA156 was installed - maybe the same fix caused it ? It is about asymmetric routing of server traffic.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
‎2024-10-31 08:27 AM

I'm not finding such a reference in the public JHF documentation.
Do you have an SR on the issue that I can review? (Please send in PM)

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top