Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Christopher_Ric
Participant
Jump to solution

Temporarily Disable auto-generated nat rules

Is there a way of temporarily disabling auto-generated NAT rules without having to delete the NAT information from the object?

0 Kudos
1 Solution

Accepted Solutions
Vladimir
Champion
Champion

Simply create new dummy Gateway object without defining its topology using one of the loopback IPs, for instance:

image.png

Change your "Install On" in NAT Properties of the objects slated for Static NAT to the dummy gateway:

image.png

 

Define policy installation target as "Specific" and point it to the gateway it is originally designed for:

image.png

 

Publish changes and install the policy.

 

Subsequent NATs from these hosts will be subjected to the NAT applied on the Network object, if any:

image.png

 

Of course, you can script the object's NAT target change to do this in bulk, once the dummy gateway object is created.

View solution in original post

8 Replies
PhoneBoy
Admin
Admin
To the best of my knowledge, no.
You could probably script disabling/enabling using something like this to export/import the relevant data: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/CLI-API-Example-for-exporting-imp...
0 Kudos
Timothy_Hall
Legend Legend
Legend

Other than putting a manual anti-NAT rule like the following at the end of the initial manual NAT section of the NAT rulebase (right before the automatic rules start), pretty sure the answer is no:

Any Any Any Original Original Original

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Christopher_Ric
Participant

Ok, so that manual NAT rule would essentially stop any possible ARP conflicts with the current environment? Essentially I am putting this new check point on the network with temp IPs until we cutover to it, but want to be able to test with the rulebase from old firewalls without causing any conflicts.

0 Kudos
Timothy_Hall
Legend Legend
Legend

No the firewall will still proxy ARP for all automatic NATs even with that anti-NAT rule.  You could uncheck the ARP checkbox in the NAT global properties to achieve that effect, be sure to run fw ctl arp to verify afterwards.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Maarten_Sjouw
Champion
Champion
When you are testing for a replacement, make sure those Automatic NAT rules contain a install-on gateway that is the old gateway, that way it will not be assgined to the new gateway and when it comes to replacing the unit you need to remove that specific tick in the box to get it to be enabled on the new gateway.
Regards, Maarten
Christopher_Ric
Participant

The issue is I'm putting Check Point in place of Junipers, so I can't disrupt the production Junipers with the NAT policies, so I haven't pushed policy to the new CheckPoint cluster yet until I find a way to not cause disruption without removing all the static nat information from the objects.

0 Kudos
Vladimir
Champion
Champion

Simply create new dummy Gateway object without defining its topology using one of the loopback IPs, for instance:

image.png

Change your "Install On" in NAT Properties of the objects slated for Static NAT to the dummy gateway:

image.png

 

Define policy installation target as "Specific" and point it to the gateway it is originally designed for:

image.png

 

Publish changes and install the policy.

 

Subsequent NATs from these hosts will be subjected to the NAT applied on the Network object, if any:

image.png

 

Of course, you can script the object's NAT target change to do this in bulk, once the dummy gateway object is created.

PhoneBoy
Admin
Admin
Probably the most elegant solution.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events