Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Ivory

header to identify inbound original ip after nat hide nat

Hi, 

below is the scenario

Internet -- > Checkpoint Firewall (any internet Nat'd to firewall external interface ip hide nat) ---- > Load balancer -- > backend server

Need to identify the inbound public ip post performing Nat in checkpoint firewall for analysis.

Is there a way to see this original inbound public ip in packet captures with different header name like xff etc....

thanks 

BSB

 

 

0 Kudos
3 Replies
Highlighted
Admin
Admin

If you're doing this with NAT, no.
I believe you can achieve this with MAB Reverse Proxy.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

However that SK says it doesn't add XFF.
However, you can add it by editing the reverse proxy conf file
$CVPNDIR/conf/ReverseProxy_conf/httpd_common.conf
Add the line -
CvpnAddHeader "X-Forwarded-For" "$CLIENTIP" – to the end of the file.
Save changes and run ReverseProxyCLI apply config
0 Kudos
Highlighted
Ivory

Hi, 

This is for inbound connection.

below is the scenario.

 

1. ISP --- > inbound traffic -- > FW (incoming interface 1 and exit interface 2) --- > Load balancer --- > backend servers.

2. Same ISP -- > inbound traffic -- > FW (same firewall - incoming interface 1 and exit interface 5 ) -- > Load balancer(same LB) -- > backend servers.

 

problem is already we have a default route pointing towards firewall interface 2 from load balancer.

having one more default towards different different interface is not feasible.scenario.png

hence inbound public ip is natted, nat ip reaches LB, where LB has the comfort of routing nat'd ip towards different interface.

0 Kudos
Highlighted
Admin
Admin

MAB Reverse Proxy will proxy the connection, originating it from the Security Gateway so NAT will not be required.
It can also add the XFF header, assuming you configure it as described.
Check Point does not provide a mechanism to add an XFF header when using NAT alone.
0 Kudos