This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Checkper
Explorer
‎2024-06-16 03:56 AM

3600 - NAT port forwarding with WAN DHCP

Hi,

Have an standalone 3600.

One external interface connected to ISP, public-ip is assigned by dhcp.
Another interface is connected to LAN switches and created vlan subinterfaces as default gw for internal networks.

Some servers need to have incoming port forwarding for their services. Have little CP experience, this is now migrated from Palo Alto.

My issue is dynamic public-ip, how could I create fw/nat rules that is using the external interface ip?


It's working when I manually create an host object with the current public-ip.

Outgoing hide-nat is done by "Add automatic address translation rules"


cp1.PNG

cp-rule.PNG

 
 

 

 

 

Labels
0 Kudos
9 Replies
PhoneBoy
Admin
Admin
‎2024-06-17 03:57 PM

Create manual rules in terms of the object LocalMachine.

0 Kudos
Checkper
Explorer
‎2024-06-17 10:06 PM
In response to PhoneBoy

Yes, already tried LocalMachine without success.
Seems that incoming traffic is not hitting the NAT rule anymore.

Is it possible to see the value of LocalMachine object?

Reading about dynamic objects now and scripts... not sure that is a good solution

0 Kudos
PhoneBoy
Admin
Admin
‎2024-06-18 08:16 AM
In response to Checkper

LocalMachine is a dynamic object we manage.
You can use the dynamic_objects CLI command to see the current contents of any given dynamic object.
https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_CLI_ReferenceGuide/Content/T... 

0 Kudos
Checkper
Explorer
‎2024-06-18 10:43 AM
In response to PhoneBoy

Seems that only dynamic_objects I've made my self is possible to list, no result when I try LocalMachine.

Another issue is policy push when LocalMachine is used in policy, requires target to be DAIP module.  sk180341 Same result if I specify target gateway.
Since Mgmt and Data plane isn't separated this is is maybe caused by static ip on Mgmt Interface and DHCP on External interface..?


Not sure what is best practice for this.. possible to separate it sk138672 MDPS but a lot of limits..

0 Kudos
PhoneBoy
Admin
Admin
‎2024-06-18 12:50 PM
In response to Checkper

MDPS is not relevant for standalone systems.
Did you try enabling DAIP as described here: https://support.checkpoint.com/results/sk/sk166225 
I don't think you can enable it in SmartConsole since this is a standalone system, which I don't believe support DAIP.
However, this might enable updating of the LocalMachine object if you have one of your interfaces defined as dynamic.

0 Kudos
Checkper
Explorer
‎2024-06-19 02:55 AM
In response to PhoneBoy

Tried to enable DAIP as described in sk166225, same result as sk180341 afterwards.
Maybe DAIP not supported for standalone...

0 Kudos
PhoneBoy
Admin
Admin
‎2024-06-20 07:53 AM
In response to Checkper

The functionality to enable DAIP functionality is only supported on pure gateways (not standalone).
While a dynamic address will still work, you'll have to create and update your own Dynamic Object.
While you could script updating a dynamic_object, if you're using R81.20, you can do a Network Feed object that achieves the same thing.
Create the object as follows:image.png

Note that I have no idea how reliable ipify is as I just found it with a quick Internet search.
However, anything that returns your public IP either in ASCII (like https://api.ipify.com does) or in JSON can be used.
Network Feed objects can be used in the Access Policy and NAT configuration on R81.20+ gateways.

It should also be noted that locally managed Quantum Spark appliances support this use case much better (using Server objects).

0 Kudos
Alex-
MVP Silver
MVP Silver
‎2024-06-18 08:31 AM

What about a security zone and manual NAT: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SecurityManagement_AdminGuide/Topi...

Never tried that myself, though.

0 Kudos
Checkper
Explorer
‎2024-06-18 10:17 AM
In response to Alex-

Good tip, but seems that zones cannot be used when Translated Destination need to be changed from "Original" (Local server ip)

validate_err.PNG

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events