Re: NAT Rules and fw tab

cezar_varlan1 · ‎2017-12-07

I have been looking for a way to find out what NAT rules are actually happening on a specific gateway.

Of course there is the Smart Dashboard where you could go into policy and search for NAT rules then see the names of each object and double click in order to find out the Hide/Static NAT IP etc. But how would you do this for 10000 Objects? There is also probably the option to use DBEDIT or even API (R80+).

I have been looking over fw tab tables.

Started off from this post: fw ctl or checkpoint tables by any other name – yurisk.info

Looks like Check Point does not provide any explanation for most of the tables - not public at least.

I made a really long one liner to list all the table, convert into decimal (-f does not work for this particular table) and tried to add a table "header" section but i can't make any sense of the contents. I know each rule lists two lines, depending if it's inbound or outbound NAT. Does anyone know of what each column represents? There is a total of 13 columns

Actual source

localhost:
-------- NAT_rules --------
static, id 1026
root@ubuntu:/home/notroot# cat natold.txt | head -7
localhost:
-------- NAT_rules --------
static, id 1026
<00000000, 00000000; fffffffe, fffffffe, ff000001, 00000000, 00000000, 00000000, 00000000, 0a99903e, 00000000, 00000000, 00000000>
<00000000, 00000001; ff010202, 00000000, 0c099479, 0c999479, 00000000, 0c999479, 00000000, 00000000, 00000000, 00000060, 00000000>
<00000001, 00000000; fffffffe, fffffffe, ff000001, 00000000, 00000000, 00000000, 00000000, 899506fe, 00000000, 00000000, 00000000>
<00000001, 00000001; ff099202, 00000000, 0c999479, 0c999479, 00000000, 0c0b9999, 00000000, 00000000, 00000000, 00000060, 00000000>

So here goes:

fw tab -t NAT_rules -u | awk '{print " " $1 " " $5 " " $6 " " $7 " " $8 " " $10}' | sed s'/.$//' | sed 's/../& /g' | awk 'BEGIN{IFS=OFS="\t"}NR==1{print $0}{for(i=1;i<=NF;i++) if(i!=NF){printf "%s%c",strtonum("0x"$i),"."}else{printf "%d\n",strtonum("0x"$i)}}' | awk 'BEGIN{FS=".";OFS="\t";n=5;printf "%-4s %-18s %-23s %-23s %-23s %s\n","Key","IP1","IP2","OSOURCE1","OSOURCE2","FinalDEST"}NR>=5{printf "%-4s %s.%s.%s.%-5s\t", $5,$7,$8,$9,$10; printf "%s.%s.%s.%-10s\t",$12,$13,$14,$15; printf "%s.%s.%s.%-11s\t",$17,$18,$19,$20; printf "%s.%s.%s.%-11s\t",$22,$23,$24,$25; printf "%s.%s.%s.%s",$27,$28,$29,$30; printf "\n";}'

Output would look like this:

Key IP1 IP2 OSOURCE1 OSOURCE2 FinalDEST
43 255.0.0.2 0.0.0.0 192.168.31.15 192.168.31.15 203.0.13.15

43 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

44 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
44 203.0.13.15 203.0.13.15 0.0.0.0 192.168.31.15 0.0.0.0

Note: both internal and external IPs are *bogons* for the purpose of this post

Nick_Fletcher · ‎2018-08-24

Hi, I tried to run this string to get the NAT table, but get the error : "awk: calling undefined function strtonum" I removed this and it only lists the table in hex. Have you modified the script since then please?

cezar_varlan1 · ‎2018-08-24

It is possible they modified the table. Inran it on 77.30. I will have a look on Monday and update

Sent from my iPhone

Nick_Fletcher · ‎2018-08-24

Probably this is caused by my version of awk not supporting strtonum

cezar_varlan1 · ‎2018-08-24

What version of OS are you running? 80.10?

Sent from my iPhone

PhoneBoy · ‎2018-08-24

I ran this on my R80.10 gateway and it showed reasonable output.

Note that it might show some "implicit" NAT rules (or the ones that are there by default) in addition to ones you've created.

I also tried to run this on a 1490, and got a similar error (presumably due to lack of support for strtonum).

It might be worthwhile to do a version of the above that just prints the IPs in hex instead of trying to convert to decimal.

cezar_varlan1 · ‎2018-08-25

The awk is just a converter for Hex. Therefore if your platform doesn’t support this you can cut the awk, pipe the result to file and read the file and parse with the awk on a different machine that runs linux

Sent from my iPhone

cezar_varlan1 · ‎2018-08-28

Yes! Did not occur to me that 1400/700 have stripped down packages for the OS. It was intended of course for Normal Gaia.

I will check and see but just having hex NAT does not help.

Regarding Note that it might show some "implicit" NAT rules (or the ones that are there by default) in addition to ones you've created.

That was my question also in the original post, if anyone knows the exact structure, as i had to reverse engineer it and drop some tables from the HEX version as they looked redundant.

Anyway thanks for the update!

Sergio_Lima1 · ‎2019-01-31

Thanks for sharing this; very useful. I have a doubt (maybe dummy): why some rows shows IP ADDR 255.1.2.2:

42 0.0.0.0 0.0.0.0 0.0.0.0 255.1.2.2 19.172.3.123

cezar_varlan1 · ‎2019-02-01

This is made up of assumptions and guesswork. The values are HEX and i converted everything in an IP, but it may be that some positions have either other parameters which don't convert to binary and then decimal IP or it's some kind of masking. It also depends on the type of NAT, if it's Hide, Static, etc.

On certain entries all the relevant tables i parsed out are relevant, and are IP's. The strage values starting with 255, i believe are some kind of mask or pointer to the type of NAT.

I also noticed that each entry has two lines, you have to calculate both when processing the information.

Are you a member of CheckMates?

NAT Rules and fw tab