cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Workaround for manual NAT when security zones are used?

I know that as of R80.10, security zones are not supported with manual NAT. Some of the reasons for creating manual NAT rules as per Check Point's documentation are the following:

  • Rules that are restricted to specified destination IP addresses and to specified source IP addresses
  • Translate both source and destination IP addresses in the same packet.
  • Static NAT in only one direction
  • Translate services (destination ports)
  • Rules that only use specified services (ports)
  • Translate IP addresses for dynamic objects

I was wondering therefore if there are still any workarounds to achieve the above when the customer is using security zones in their policy.

Many thanks in advance.  

0 Kudos
4 Replies

Re: Workaround for manual NAT when security zones are used?

Hi Nicholas, 

I'm not entirely sure what your question is? As you have already stated that you can't use Security Zones in the NAT policy and that manual NAT's are required for flexibility. 

Regards

Mark

0 Kudos

Re: Workaround for manual NAT when security zones are used?

Hi Mark,

So, say the customer is using security zones in his policies and wants to perform static NAT in one direction or translate IP addresses for dynamic objects. Short of asking the customer to stop using security zones, is there anything else that can be done to accommodate the aforementioned requests?

0 Kudos

Re: Workaround for manual NAT when security zones are used?

Is the setup of this customer a modular setup with multiple gateways, or is it actually a zone based policy because they are used to that and like it better?

Regards, Maarten
0 Kudos

Re: Workaround for manual NAT when security zones are used?

Even with Security Zones in use, one must still define all networks behind each interface for purposes of antispoofing enforcement.  For any network that not "flat" (i.e. has additional routed networks beyond the VLAN the firewall is physically attached to) this will typically be represented as a specific group.  Those same interface antispoofing groups could be used in manual NAT rules to approximate the effect of Security Zones, but if groups containing a large number of objects are placed into both the source and destination of a manual NAT rule, that can expand out to a very large number of individual NAT rules so watch out. Representing the Internet here can be a bit tricky too, essentially you have to use a group with exclusion in the destination, which can also cause some unexpectedly large expansions.

Example: a group with 100 networks is added to the source of a manual NAT rule, and another group with 100 networks is added to the destination.  During policy compilation that will expand out to 10,000 individual NAT rules.  In the old days that value could get high enough to cause a policy compilation failure.

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com