This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
khodgson_bts
Contributor
Tuesday
Jump to solution

NAT Rules not matching with new R82 gateway in place.

Morning.

We're trying to cut over from a cluster of 5000 series running R81.10 to a new cluster of 9000 series running R82 JHFA take 44. Management is running R82 take 44 as well and has been for several weeks now.

Within the NAT policy there are several NAT rules with "Gateways" in the install on column (screenshot attached). What seems to be happening is that when we flip over to the R82 gateway these NAT rules are not being matched and all Internal to Internal traffic is hitting the final manual NAT rule to hid behind the gateway public IP. It doesn't seem to be an issue when running on the old R81.10 gateway.

Where does this "Gateways" target come from and is it no longer supported on R82?

Thanks

 

image.png

0 Kudos
1 Solution

Accepted Solutions
khodgson_bts
Contributor
Tuesday
Jump to solution

So, it's confirmed that the "Gateways" installation target is not supported/enforced on R82 gateways. We change all the rules to use "Policy Targets" and this solved the issue.

View solution in original post

6 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
Tuesday
Jump to solution

Have you tried editing the "Gateways" object, what does it yield?

Unfortunately I cannot make out the object icon from the screenshot on my phone right now.

CCSM R77/R80/ELITE
0 Kudos
khodgson_bts
Contributor
Tuesday
In response to Chris_Atkinson
Jump to solution

It's not editable at all. Double click or right-click edit is unavailable.

0 Kudos
Alex-
MVP Silver
MVP Silver
Tuesday
In response to khodgson_bts
Jump to solution

I've seen this on environments which were upgraded from R7X all the way to R81.XX. Seems like a dynamic objects representing the gateways, which doesn't exist anymore. So it's in the configuration but can not be edited, added and so on.

As the release notes state that R82 doesn't support R77.30 versions, it might not be enforced at all.

khodgson_bts
Contributor
Tuesday
In response to Alex-
Jump to solution

I suspected this might be the case. As far as I can tell from the history, this policy has been around since somewhere around the R65 days so what you're saying makes sense. We've got a change scheduled for later to change all those to "Policy Targets" and try again.

Thanks!

the_rock
MVP Platinum
MVP Platinum
Tuesday
In response to khodgson_bts
Jump to solution

For sure...if its been around since R65 days, then all @Alex- said is 100% logical.

Best,
Andy
0 Kudos
khodgson_bts
Contributor
Tuesday
Jump to solution

So, it's confirmed that the "Gateways" installation target is not supported/enforced on R82 gateways. We change all the rules to use "Policy Targets" and this solved the issue.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events