Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Nick_Doropoulos
Advisor

Workaround for manual NAT when security zones are used?

I know that as of R80.10, security zones are not supported with manual NAT. Some of the reasons for creating manual NAT rules as per Check Point's documentation are the following:

  • Rules that are restricted to specified destination IP addresses and to specified source IP addresses
  • Translate both source and destination IP addresses in the same packet.
  • Static NAT in only one direction
  • Translate services (destination ports)
  • Rules that only use specified services (ports)
  • Translate IP addresses for dynamic objects

I was wondering therefore if there are still any workarounds to achieve the above when the customer is using security zones in their policy.

Many thanks in advance.  

0 Kudos
4 Replies
Mark_Mitchell
Advisor

Hi Nicholas, 

I'm not entirely sure what your question is? As you have already stated that you can't use Security Zones in the NAT policy and that manual NAT's are required for flexibility. 

Regards

Mark

0 Kudos
Nick_Doropoulos
Advisor

Hi Mark,

So, say the customer is using security zones in his policies and wants to perform static NAT in one direction or translate IP addresses for dynamic objects. Short of asking the customer to stop using security zones, is there anything else that can be done to accommodate the aforementioned requests?

0 Kudos
Maarten_Sjouw
Champion
Champion

Is the setup of this customer a modular setup with multiple gateways, or is it actually a zone based policy because they are used to that and like it better?

Regards, Maarten
0 Kudos
Timothy_Hall
Legend Legend
Legend

Even with Security Zones in use, one must still define all networks behind each interface for purposes of antispoofing enforcement.  For any network that not "flat" (i.e. has additional routed networks beyond the VLAN the firewall is physically attached to) this will typically be represented as a specific group.  Those same interface antispoofing groups could be used in manual NAT rules to approximate the effect of Security Zones, but if groups containing a large number of objects are placed into both the source and destination of a manual NAT rule, that can expand out to a very large number of individual NAT rules so watch out. Representing the Internet here can be a bit tricky too, essentially you have to use a group with exclusion in the destination, which can also cause some unexpectedly large expansions.

Example: a group with 100 networks is added to the source of a manual NAT rule, and another group with 100 networks is added to the destination.  During policy compilation that will expand out to 10,000 individual NAT rules.  In the old days that value could get high enough to cause a policy compilation failure.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events