This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Christopher_Ric
Participant
‎2019-05-10 01:39 PM
Jump to solution

Temporarily Disable auto-generated nat rules

Is there a way of temporarily disabling auto-generated NAT rules without having to delete the NAT information from the object?

0 Kudos
1 Solution

Accepted Solutions
Vladimir
Champion
Champion
‎2019-05-12 01:04 PM
In response to Christopher_Ric
Jump to solution

Simply create new dummy Gateway object without defining its topology using one of the loopback IPs, for instance:

image.png

Change your "Install On" in NAT Properties of the objects slated for Static NAT to the dummy gateway:

image.png

 

Define policy installation target as "Specific" and point it to the gateway it is originally designed for:

image.png

 

Publish changes and install the policy.

 

Subsequent NATs from these hosts will be subjected to the NAT applied on the Network object, if any:

image.png

 

Of course, you can script the object's NAT target change to do this in bulk, once the dummy gateway object is created.

View solution in original post

8 Replies
PhoneBoy
Admin
Admin
‎2019-05-10 04:10 PM
Jump to solution

To the best of my knowledge, no.
You could probably script disabling/enabling using something like this to export/import the relevant data: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/CLI-API-Example-for-exporting-imp...
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2019-05-10 06:25 PM
Jump to solution

Other than putting a manual anti-NAT rule like the following at the end of the initial manual NAT section of the NAT rulebase (right before the automatic rules start), pretty sure the answer is no:

Any Any Any Original Original Original

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Christopher_Ric
Participant
‎2019-05-11 06:16 AM
In response to Timothy_Hall
Jump to solution

Ok, so that manual NAT rule would essentially stop any possible ARP conflicts with the current environment? Essentially I am putting this new check point on the network with temp IPs until we cutover to it, but want to be able to test with the rulebase from old firewalls without causing any conflicts.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2019-05-11 06:56 AM
In response to Christopher_Ric
Jump to solution

No the firewall will still proxy ARP for all automatic NATs even with that anti-NAT rule.  You could uncheck the ARP checkbox in the NAT global properties to achieve that effect, be sure to run fw ctl arp to verify afterwards.

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-05-11 11:12 AM
In response to Timothy_Hall
Jump to solution

When you are testing for a replacement, make sure those Automatic NAT rules contain a install-on gateway that is the old gateway, that way it will not be assgined to the new gateway and when it comes to replacing the unit you need to remove that specific tick in the box to get it to be enabled on the new gateway.
Regards, Maarten
Christopher_Ric
Participant
‎2019-05-12 09:59 AM
In response to Maarten_Sjouw
Jump to solution

The issue is I'm putting Check Point in place of Junipers, so I can't disrupt the production Junipers with the NAT policies, so I haven't pushed policy to the new CheckPoint cluster yet until I find a way to not cause disruption without removing all the static nat information from the objects.

0 Kudos
Vladimir
Champion
Champion
‎2019-05-12 01:04 PM
In response to Christopher_Ric
Jump to solution

Simply create new dummy Gateway object without defining its topology using one of the loopback IPs, for instance:

image.png

Change your "Install On" in NAT Properties of the objects slated for Static NAT to the dummy gateway:

image.png

 

Define policy installation target as "Specific" and point it to the gateway it is originally designed for:

image.png

 

Publish changes and install the policy.

 

Subsequent NATs from these hosts will be subjected to the NAT applied on the Network object, if any:

image.png

 

Of course, you can script the object's NAT target change to do this in bulk, once the dummy gateway object is created.

PhoneBoy
Admin
Admin
‎2019-05-12 04:38 PM
In response to Vladimir
Jump to solution

Probably the most elegant solution.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events