This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
JasMan
Contributor
a month ago
Jump to solution

R81.20: Get all enabled NAT objects from SmartConsole

Hi folks,

I want to get all host and network objects with enabled NAT.

The "Object Explorer" seems to be the best way to go for me.
But the NAT properties in the explorer overview and CSV export are different than the NAT setting of the object. The overview shows "None" and the object propertie shows "Hide" NAT enabled.

Screenshot 2025-08-11 132418.png

Do I missunderstood the explorer overview? 
any other ideas how I can get all NAT enabled objects?

 

Thanks.
Jas Man



0 Kudos
1 Solution

Accepted Solutions
Danny
Champion Champion
Champion
a month ago
Jump to solution

  1. Use Check Point's Show Package Tool to export your security and NAT policies to HTML
    • SSH login into the export mode of your SmartCenter and run $MDS_FWDIR/scripts/web_api_show_package.sh -n 443 -c
  2. Unarchive the resulting .tgz to a new folder or copy the .tgz to your PC and open the NAT policy in a web browser of your choice
  3. grep and sort -u the CSV that contains your NAT policy or check and export the objects within your NAT policies with a browser plugin of your choice.
  4. Done.

View solution in original post

(2)
11 Replies
Danny
Champion Champion
Champion
a month ago
Jump to solution

  1. Use Check Point's Show Package Tool to export your security and NAT policies to HTML
    • SSH login into the export mode of your SmartCenter and run $MDS_FWDIR/scripts/web_api_show_package.sh -n 443 -c
  2. Unarchive the resulting .tgz to a new folder or copy the .tgz to your PC and open the NAT policy in a web browser of your choice
  3. grep and sort -u the CSV that contains your NAT policy or check and export the objects within your NAT policies with a browser plugin of your choice.
  4. Done.
(2)
JasMan
Contributor
a month ago
In response to Danny
Jump to solution

Sounds good.

Unfortunately the script causes a out of memory exception in Java.

JVMDUMP055I Processing dump event "systhrow", detail "java/lang/OutOfMemoryError", exception "Java heap space" at 2025/08/11 14:41:21 - please wait.
.......

Guess we've to activate the fix as descriped here: https://support.checkpoint.com/results/sk/sk119553
I'm right?

0 Kudos
the_rock
Legend
Legend
a month ago
In response to JasMan
Jump to solution

I dont believe so...check output from my mgmt.

Andy

[Expert@CP-MANAGEMENT:0]# $MDS_FWDIR/scripts/web_api_show_package.sh -n 443 -c
Script finished running successfully!
Result file location: show_package-2025-08-11_08-53-46.tar.gz
[Expert@CP-MANAGEMENT:0]#

0 Kudos
JasMan
Contributor
a month ago
In response to the_rock
Jump to solution

I would expect the same output on our server. But as I've written, the script crashes with a OutOfMemoryError exception after some minutes.

The error takes me to https://support.checkpoint.com/results/sk/sk171173 and https://support.checkpoint.com/results/sk/sk119553

I'm wrong with the implementation from SK119553 to solve the exception? Any recommendations or concerns?

0 Kudos
the_rock
Legend
Legend
a month ago
In response to JasMan
Jump to solution

I cant sadly even open thise SKs, cause its telling me technical issues when I try to log in. Since its mgmt server, just try cprestart or quick reboot.

Andy

0 Kudos
the_rock
Legend
Legend
a month ago
In response to JasMan
Jump to solution

Was just able to open the sk you referenced. Not sure it would apply to you, as it does not go past R80.40 and you are on R81.20, but maybe you can verify with TAC. Honestly, if I were you, I would simply reboot the mgmt server.

Andy

0 Kudos
JasMan
Contributor
a month ago
In response to the_rock
Jump to solution

Restart done, but still the same error 😞
I've to ask our partner to solve this issue first. Thanks to all for your support.

0 Kudos
the_rock
Legend
Legend
a month ago
In response to JasMan
Jump to solution

I would definitely also open TAC case to check on this. To me, its certainly strange you get those errors, because such a script should run without any issues. Can you please confirm api status shows successful?

Andy

0 Kudos
JasMan
Contributor
3 weeks ago
In response to the_rock
Jump to solution

We're still struggeling with the error, but TAC provided us a workaround to export the needed data

mgmt_cli -r true show networks limit 500 offset 0 details-level "full" --format json >> FWMGNT_Export_Objects_1.json
mgmt_cli -r true show networks limit 500 offset 501 details-level "full" --format json >> FWMGNT_Export_Objects_2.json
mgmt_cli -r true show networks limit 500 offset 1001 details-level "full" --format json >> FWMGNT_Export_Objects_3.json


The export is limited to 500 objects. Therefore, we had to run it several times to get all objects. I've merged the files in PowerShell and exportet the needed fields.

0 Kudos
the_rock
Legend
Legend
a month ago
In response to JasMan
Jump to solution

@JasMan 

Example I got. Happy to attach .tgz file for you, its my lab anyway, so nothing secretive. let me know.

Andy

Domain: Management server
Package: R82-SSL-INSPECTION-LAB-POLICY
NAT rulebase
 

 

No. Name Original Source Original Destination Original Services Translated Source Translated Destination Translated Services Install-On Comments
Automatic Generated Rules : Machine Static NAT (No Rules)
Automatic Generated Rules : Machine Hide NAT (No Rules)
Automatic Generated Rules : Address Range Static NAT (No Rules)
Automatic Generated Rules : Network Static NAT (No Rules)
Automatic Generated Rules : Address Range Hide NAT (No Rules)
Automatic Generated Rules : Network Hide NAT (1-2)
1 Automatic Rule: CP_default_Office_Mode_addresses_pool
Any
  
2 Automatic Rule: CP_default_Office_Mode_addresses_pool
Any
Any
  
Manual Lower Rules (No Rules)
the_rock
Legend
Legend
a month ago
Jump to solution

Never tried personally the way @Danny mentioned, but definitely makes sense.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events