This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
khodgson_bts
Collaborator
4 weeks ago
Jump to solution

NAT Rules not matching with new R82 gateway in place.

Morning.

We're trying to cut over from a cluster of 5000 series running R81.10 to a new cluster of 9000 series running R82 JHFA take 44. Management is running R82 take 44 as well and has been for several weeks now.

Within the NAT policy there are several NAT rules with "Gateways" in the install on column (screenshot attached). What seems to be happening is that when we flip over to the R82 gateway these NAT rules are not being matched and all Internal to Internal traffic is hitting the final manual NAT rule to hid behind the gateway public IP. It doesn't seem to be an issue when running on the old R81.10 gateway.

Where does this "Gateways" target come from and is it no longer supported on R82?

Thanks

 

image.png

0 Kudos
1 Solution

Accepted Solutions
khodgson_bts
Collaborator
4 weeks ago
Jump to solution

So, it's confirmed that the "Gateways" installation target is not supported/enforced on R82 gateways. We change all the rules to use "Policy Targets" and this solved the issue.

View solution in original post

18 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
4 weeks ago
Jump to solution

Have you tried editing the "Gateways" object, what does it yield?

Unfortunately I cannot make out the object icon from the screenshot on my phone right now.

CCSM R77/R80/ELITE
0 Kudos
khodgson_bts
Collaborator
4 weeks ago
In response to Chris_Atkinson
Jump to solution

It's not editable at all. Double click or right-click edit is unavailable.

0 Kudos
Alex-
MVP Silver
MVP Silver
4 weeks ago
In response to khodgson_bts
Jump to solution

I've seen this on environments which were upgraded from R7X all the way to R81.XX. Seems like a dynamic objects representing the gateways, which doesn't exist anymore. So it's in the configuration but can not be edited, added and so on.

As the release notes state that R82 doesn't support R77.30 versions, it might not be enforced at all.

khodgson_bts
Collaborator
4 weeks ago
In response to Alex-
Jump to solution

I suspected this might be the case. As far as I can tell from the history, this policy has been around since somewhere around the R65 days so what you're saying makes sense. We've got a change scheduled for later to change all those to "Policy Targets" and try again.

Thanks!

the_rock
MVP Platinum
MVP Platinum
4 weeks ago
In response to khodgson_bts
Jump to solution

For sure...if its been around since R65 days, then all @Alex- said is 100% logical.

Best,
Andy
0 Kudos
khodgson_bts
Collaborator
4 weeks ago
Jump to solution

So, it's confirmed that the "Gateways" installation target is not supported/enforced on R82 gateways. We change all the rules to use "Policy Targets" and this solved the issue.

CheckPointerXL
Advisor
Advisor
a week ago
In response to khodgson_bts
Jump to solution

any official reference?

the_rock
MVP Platinum
MVP Platinum
a week ago
In response to CheckPointerXL
Jump to solution

Really odd...I use gateways as install target in R82 lab, never any issues. Maybe someone else can confirm.

Best,
Andy
0 Kudos
khodgson_bts
Collaborator
Friday
In response to the_rock
Jump to solution

We didn't even have Gateways as an available option on new rules. Very odd.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
Friday
In response to khodgson_bts
Jump to solution

I will check in the lab shortly, but Im 100% positive I had seen it there before and changed it few times.

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
Friday
In response to khodgson_bts
Jump to solution

Do you see below option?

Screenshot_1.png

Best,
Andy
0 Kudos
khodgson_bts
Collaborator
Friday
In response to the_rock
Jump to solution

Yes I have that, but those are explicitly defined Gateway objects. The one I'm referring to is kind of a dynamic object which I believe references any object defined as a gateway. It looks like this:

 

Screenshot 2026-01-02 132843.png

0 Kudos
the_rock
MVP Platinum
MVP Platinum
Friday
In response to khodgson_bts
Jump to solution

Ah, got it...my apologies then. That, sadly, cant find...what I pasted was all that came up. Let me keep checking.

Best,
Andy
0 Kudos
Alex-
MVP Silver
MVP Silver
Friday
In response to the_rock
Jump to solution

Not much to check, this object can't be used anymore. It might be imported from long-standing configurations which were upgraded from version to version up to now, but that's about it. And as discussed, since R82, it stops being enforced altogether.

An honestly, "Policy targets" is way more explicit and understandable than just "Gateways".

the_rock
MVP Platinum
MVP Platinum
Friday
In response to Alex-
Jump to solution

You are 100% right Alex. I will triple check everything, but Im 99.99% sure it wont be there.

Best,
Andy
0 Kudos
khodgson_bts
Collaborator
Friday
In response to Alex-
Jump to solution

That's exactly the conclusion we came to. It just doesn't seem to be documented or reference anywhere that I can find.

In the meantime, we've added this to our list of things to watch out for when planning upgrades to R82+

the_rock
MVP Platinum
MVP Platinum
Friday
In response to khodgson_bts
Jump to solution

I looked everywhere, no dice, so its safe to say its not there, for sure.

Best,
Andy
0 Kudos
khodgson_bts
Collaborator
Friday
In response to CheckPointerXL
Jump to solution

None that I can find, no.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events