Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
cezar_varlan1
Collaborator

NAT Rules and fw tab

I have been looking for a way to find out what NAT rules are actually happening on a specific gateway. 

Of course there is the Smart Dashboard where you could go into policy and search for NAT rules then see the names of each object and double click in order to find out the Hide/Static NAT IP etc. But how would you do this for 10000 Objects? There is also probably the option to use DBEDIT or even API (R80+). 

I have been looking over fw tab tables.

Started off from this post: fw ctl or checkpoint tables by any other name – yurisk.info 

Looks like Check Point does not provide any explanation for most of the tables - not public at least.

I made a really long one liner to list all the table, convert into decimal (-f does not work for this particular table) and tried to add a table "header" section but i can't make any sense of the contents. I know each rule lists two lines, depending if it's inbound or outbound NAT. Does anyone know of what each column represents? There is a total of 13 columns

Actual source 

localhost:
-------- NAT_rules --------
static, id 1026
root@ubuntu:/home/notroot# cat natold.txt | head -7
localhost:
-------- NAT_rules --------
static, id 1026
<00000000, 00000000; fffffffe, fffffffe, ff000001, 00000000, 00000000, 00000000, 00000000, 0a99903e, 00000000, 00000000, 00000000>
<00000000, 00000001; ff010202, 00000000, 0c099479, 0c999479, 00000000, 0c999479, 00000000, 00000000, 00000000, 00000060, 00000000>
<00000001, 00000000; fffffffe, fffffffe, ff000001, 00000000, 00000000, 00000000, 00000000, 899506fe, 00000000, 00000000, 00000000>
<00000001, 00000001; ff099202, 00000000, 0c999479, 0c999479, 00000000, 0c0b9999, 00000000, 00000000, 00000000, 00000060, 00000000>

So here goes:

fw tab -t NAT_rules -u | awk '{print " " $1 " " $5 " " $6 " " $7 " " $8 " " $10}' | sed s'/.$//' | sed 's/../& /g' | awk 'BEGIN{IFS=OFS="\t"}NR==1{print $0}{for(i=1;i<=NF;i++) if(i!=NF){printf "%s%c",strtonum("0x"$i),"."}else{printf "%d\n",strtonum("0x"$i)}}' | awk 'BEGIN{FS=".";OFS="\t";n=5;printf "%-4s %-18s %-23s %-23s %-23s %s\n","Key","IP1","IP2","OSOURCE1","OSOURCE2","FinalDEST"}NR>=5{printf "%-4s %s.%s.%s.%-5s\t", $5,$7,$8,$9,$10; printf "%s.%s.%s.%-10s\t",$12,$13,$14,$15; printf "%s.%s.%s.%-11s\t",$17,$18,$19,$20; printf "%s.%s.%s.%-11s\t",$22,$23,$24,$25; printf "%s.%s.%s.%s",$27,$28,$29,$30; printf "\n";}'

Output would look like this:

Key       IP1                IP2                OSOURCE1       OSOURCE2       FinalDEST
43         255.0.0.2       0.0.0.0           192.168.31.15   192.168.31.15     203.0.13.15

43         0.0.0.0           0.0.0.0            0.0.0.0                0.0.0.0                0.0.0.0

44         0.0.0.0           0.0.0.0            0.0.0.0                0.0.0.0                0.0.0.0
44         203.0.13.15   203.0.13.15    0.0.0.0               192.168.31.15     0.0.0.0

Note: both internal and external IPs are *bogons* for the purpose of this post

9 Replies
Nick_Fletcher
Explorer

Hi, I tried to run this string  to get the NAT table, but get the error : "awk: calling undefined function strtonum" I removed this and it only lists the table in hex. Have you modified the script since then please?

0 Kudos
cezar_varlan1
Collaborator

It is possible they modified the table. Inran it on 77.30. I will have a look on Monday and update

Sent from my iPhone

0 Kudos
Nick_Fletcher
Explorer

Probably this is caused by my version of awk not supporting strtonum Smiley Sad

0 Kudos
cezar_varlan1
Collaborator

What version of OS are you running? 80.10?

Sent from my iPhone

0 Kudos
PhoneBoy
Admin
Admin

I ran this on my R80.10 gateway and it showed reasonable output.

Note that it might show some "implicit" NAT rules (or the ones that are there by default) in addition to ones you've created.

I also tried to run this on a 1490, and got a similar error (presumably due to lack of support for strtonum). 

It might be worthwhile to do a version of the above that just prints the IPs in hex instead of trying to convert to decimal.

0 Kudos
cezar_varlan1
Collaborator

The awk is just a converter for Hex. Therefore if your platform doesn’t support this you can cut the awk, pipe the result to file and read the file and parse with the awk on a different machine that runs linux

Sent from my iPhone

0 Kudos
cezar_varlan1
Collaborator

Yes! Did not occur to me that 1400/700 have stripped down packages for the OS. It was intended of course for Normal Gaia. 

I will check and see but just having hex NAT does not help.

Regarding Note that it might show some "implicit" NAT rules (or the ones that are there by default) in addition to ones you've created.

That was my question also in the original post, if anyone knows the exact structure, as i had to reverse engineer it and drop some tables from the HEX version as they looked redundant. 

Anyway thanks for the update!

0 Kudos
Sergio_Lima1
Participant

Thanks for sharing this; very useful. I have a doubt (maybe dummy): why some rows shows IP ADDR 255.1.2.2:

42   0.0.0.0            0.0.0.0                 0.0.0.0                 255.1.2.2               19.172.3.123

0 Kudos
cezar_varlan1
Collaborator

This is made up of assumptions and guesswork. The values are HEX and i converted everything in an IP, but it may be that some positions have either other parameters which don't convert to binary and then decimal IP or it's some kind of masking. It also depends on the type of NAT, if it's Hide, Static, etc.

On certain entries all the relevant tables i parsed out are relevant, and are IP's. The strage values starting with 255, i believe are some kind of mask or pointer to the type of NAT.

I also noticed that each entry has two lines, you have to calculate both when processing the information.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events