This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Walt_van_Staden
Explorer
‎2017-09-29 02:23 AM

Static NAT to DMZ Web Server on R80.10 Cluster (HA)

Hi,

I've been having trouble wrapping my head around something. The scenario is as follows:

ISP Router with multiple available public IP's --> CheckPoint 3000 Appliance Cluster --> Web server in DMZ

Now, I want to NAT https traffic from 10.10.10.10(one of the public IP's) to the web server (192.168.1.5) in the DMZ.  Should I create a proxy arp entry for this to work, and if I should, how exactly should it be done? I have created the Web Server object with a static NAT to the IP I want it to listen on and applied it to a firewall policy to permit https traffic from All_Internet to my server object. 

If someone can provide guidance on this, I would appreciate it. It has proven to be a bit more difficult than it seems.. Smiley Happy

Thanks in advance

0 Kudos
3 Replies
Timothy_Hall
Legend Legend
Legend
‎2017-09-29 02:45 PM

You didn't make clear whether you set up the static NAT via the automatic technique (going to NAT tab of the object itself) or using a manual NAT rule by directly adding it to the NAT rule base.

If you configured it using the automatic method, all you need to do is place that object in the destination of a firewall rule permitting access into it and install policy.  The firewall will automatically proxy ARP for the NAT address as needed (this assumes that the "Automatic ARP configuration" checkbox is set in the NAT global properties), you can verify this with the "fw ctl arp" command.  If you see your NAT address listed there, the active member of a ClusterXL cluster will automatically proxy ARP for it.

If you used the manual rule setup on an R77.30 or earlier gateway, you will have to add a static *proxy* ARP (NOT just a static ARP - big difference) to both cluster members via the Gaia web interface, and make sure that the "merge manual proxy ARP configuration" checkbox is selected (it is not enabled by default) in the global NAT properties of SmartDashboard.

If you configured the manual rule NAT on R80.10 gateway you can do the same static proxy ARP procedure, or you can follow the steps in this SK to enable automatic proxy ARPing for NAT addresses used in manual NAT rules:

sk114395: Automatic creation of Proxy ARP for Manual NAT rules on Security Gateway R80.10

This is a brand new feature for R80.10 but is disabled by default.  I have seen it in action and it works well.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
Astardzhiev
Contributor
‎2017-10-09 02:34 AM
In response to Timothy_Hall

Tim,

Thank you for the info about automatic proxy arp for manual nat... I wasn't aware of this, definately will try it.

However I was wondering you do you know how it will work with HA cloning-group? Do you need to disable ARP again under cloning-group configuration?

0 Kudos
Astardzhiev
Contributor
‎2017-10-09 02:32 AM

You mentioned that this is HA deployment, if so and if you are using ClusterXL Cloning-Group you must remember to disable ARP in cloning-group. If ARP is enabled under cloning-group you are not able to configure proxy arp per member, which is a must if you are using Manual NAT.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top