This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Eric_Boughton
Participant
‎2018-12-21 09:50 AM
Jump to solution

Policy Layers with NATed Objects

Hi, 

I'm looking to simplify our policy and have started to use more inline layers. I was wondering how items with a NAT to them would work when defining the rule. Do I need to define both the NATed network and the DMZ Network as the destination? Or can I just use the DMZ network? I'm thinking I would need to define both. If it helps - the DMZ Items have the NATed address in the object. 

Currently:

1 rule - Source: Any Destination: one or two DMZ address with NAT Service: 80.

2nd Rule -Source: Any Destination: one DMZ address with NAT Service: TCP port.

 

Goal

Top - Source: Any Destination: DMZ (and NATed Network?) Service: Any

Next - Source: External Destination: Specific DMZ Server Service: 80

etc 

 

Thanks!

Labels
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2018-12-21 02:35 PM
Jump to solution

Access Rules should be defined in terms of the IP addresses that will apply before NAT is applied.

Which means, you'll probably need to use both.

View solution in original post

0 Kudos
3 Replies
Timothy_Hall
Legend Legend
Legend
‎2018-12-21 02:09 PM
Jump to solution

Policy is matched prior to NAT, so you should use the pre-NAT object in the policy.  For outbound connections using Hide NAT, the source will be the original inside network.  For inbound connections using static NAT the destination should be the Internet-routable address prior to the NAT operation.  You can put the object representing the post-NAT address(es) in the rule as well if you want but it is not necessary.

Also the NAT "layer" must be kept separate in the Access Control policy and cannot be combined into a single policy layer like the features Firewall, APCL/URLF, & Content Awareness can be if using an R80.10 gateway.  I don't think the NAT policy is a "real" policy layer anyway since you can't use Security Zone objects in it.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Attend my 60-minute "Be your Own TAC: Part Deux" Presentation
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm
0 Kudos
PhoneBoy
Admin
Admin
‎2018-12-21 02:35 PM
Jump to solution

Access Rules should be defined in terms of the IP addresses that will apply before NAT is applied.

Which means, you'll probably need to use both.

0 Kudos
Eric_Boughton
Participant
‎2019-02-11 12:14 PM
In response to PhoneBoy
Jump to solution

To close the loop. We did need to have the External IP range (The NATed address) and the DMZ range (the internal IPs) as the destination in the top inline layer rule. The end result: 

Source: Any > Destination: DMZ, External IPs Action: Inline Later

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    CheckMates Events