Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Temporarily Disable auto-generated nat rules

Jump to solution

Is there a way of temporarily disabling auto-generated NAT rules without having to delete the NAT information from the object?

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Pearl

Simply create new dummy Gateway object without defining its topology using one of the loopback IPs, for instance:

image.png

Change your "Install On" in NAT Properties of the objects slated for Static NAT to the dummy gateway:

image.png

 

Define policy installation target as "Specific" and point it to the gateway it is originally designed for:

image.png

 

Publish changes and install the policy.

 

Subsequent NATs from these hosts will be subjected to the NAT applied on the Network object, if any:

image.png

 

Of course, you can script the object's NAT target change to do this in bulk, once the dummy gateway object is created.

View solution in original post

8 Replies
Highlighted
Admin
Admin
To the best of my knowledge, no.
You could probably script disabling/enabling using something like this to export/import the relevant data: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/CLI-API-Example-for-exporting-imp...
0 Kudos
Highlighted

Other than putting a manual anti-NAT rule like the following at the end of the initial manual NAT section of the NAT rulebase (right before the automatic rules start), pretty sure the answer is no:

Any Any Any Original Original Original

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos
Highlighted

Ok, so that manual NAT rule would essentially stop any possible ARP conflicts with the current environment? Essentially I am putting this new check point on the network with temp IPs until we cutover to it, but want to be able to test with the rulebase from old firewalls without causing any conflicts.

0 Kudos
Highlighted

No the firewall will still proxy ARP for all automatic NATs even with that anti-NAT rule.  You could uncheck the ARP checkbox in the NAT global properties to achieve that effect, be sure to run fw ctl arp to verify afterwards.

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos
Highlighted
When you are testing for a replacement, make sure those Automatic NAT rules contain a install-on gateway that is the old gateway, that way it will not be assgined to the new gateway and when it comes to replacing the unit you need to remove that specific tick in the box to get it to be enabled on the new gateway.
Regards, Maarten
Highlighted

The issue is I'm putting Check Point in place of Junipers, so I can't disrupt the production Junipers with the NAT policies, so I haven't pushed policy to the new CheckPoint cluster yet until I find a way to not cause disruption without removing all the static nat information from the objects.

0 Kudos
Highlighted
Pearl

Simply create new dummy Gateway object without defining its topology using one of the loopback IPs, for instance:

image.png

Change your "Install On" in NAT Properties of the objects slated for Static NAT to the dummy gateway:

image.png

 

Define policy installation target as "Specific" and point it to the gateway it is originally designed for:

image.png

 

Publish changes and install the policy.

 

Subsequent NATs from these hosts will be subjected to the NAT applied on the Network object, if any:

image.png

 

Of course, you can script the object's NAT target change to do this in bulk, once the dummy gateway object is created.

View solution in original post

Highlighted
Admin
Admin
Probably the most elegant solution.
0 Kudos