This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
puneetbansal
Explorer
‎2022-07-26 04:11 AM

NAT issue on R77.30

Today i meet with strange issue. Below is the summery .

1. We have Checkpoint firewall cluster in Azure running R77.30 version.

2. There are lot of application working on that firewall using the Policy and NAT ( External Interface NAT ).

3. Today when i created new NAT , all the traffic stopped working. 

 

NAT --> We have to publish new application to internet. We are using FW public IP to host the application on different ports and using NAT traffic is getting redirected to internal private IP on ( http or https) 

Any suggestion to check , as will not get support from Checkpoint - old version at customer site.

 

0 Kudos
17 Replies
_Val_
Admin
Admin
‎2022-07-26 04:44 AM

Other than moving to the supported version?

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-07-26 05:16 AM

Are you able to share more about what and how you configured it?

Eg Auto vs Manual & Static vs Hide.

Without more info any suggestions will be somewhat limited.

CCSM R77/R80/ELITE
puneetbansal
Explorer
‎2022-07-26 05:29 AM
In response to Chris_Atkinson

We are using Check Point External interface static NAT .

We are using the same to multiple application on different port, all are working fine, but while doing new NAT for new application its creating issue for all the application. 

We are crating NAT rule at END . 

0 Kudos
the_rock
Legend
Legend
‎2022-07-26 06:18 AM
In response to puneetbansal

Are you able to attach a screenshot?

0 Kudos
the_rock
Legend
Legend
‎2022-07-26 05:31 AM

You are correct that you would not get any support from TAC on it, since it is indeed unsupported version. I agree with @Chris_Atkinson , we need more info as far as whats exactly configured, so we can help you more.

0 Kudos
PhoneBoy
Admin
Admin
‎2022-07-26 08:36 AM

We're going to need a LOT more information about what the current configuration is, what precise changes you made, and what was observed in the gateway AFTER the change was made with respect to the traffic.
What was seen in the logs, fw ctl zdebug, etc.
That said, R77.30 has been End of Support for a while now and your efforts would probably be better spent getting the customer on a more recent version that is supported.

puneetbansal
Explorer
‎2022-07-26 10:00 PM
In response to PhoneBoy

Thanks PhoneBoy, We are planning to upgrade.

We are doing interface NAT , it seems be due to some bug in R77.30 

02656968Security GatewayIn rare scenarios, when working with Dynamic Objects, NAT rules are not applied anymore after policy installation or update of software blades signatures. This causes traffic outage for all connections that should undergo NAT.
0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-07-27 01:55 AM
In response to puneetbansal

Resolved almost 5-years ago. Is there no Jumbo installed on this system?

CCSM R77/R80/ELITE
0 Kudos
puneetbansal
Explorer
‎2022-07-27 06:18 AM
In response to Chris_Atkinson

Nope , We are on Take216 .

0 Kudos
puneetbansal
Explorer
‎2022-07-27 06:26 AM
In response to puneetbansal

We took the support of that firewall recently and now we are planning to upgrade.

As the firewall in our support we need to create new rules, but while creating new simple NAT rules ( almost duplicate what we have on firewall almost 90), firewall stopped process all traffic ( even for exiting NAT ) .

Is there any limitation on CP firewall external Interface IP NAT policy in Azure ?

0 Kudos
PhoneBoy
Admin
Admin
‎2022-07-27 08:03 AM
In response to puneetbansal

I'll ask my questions again more precisely:

  • What is the current configuration look like before you started making changes? Screenshots will go a long way here as will a network diagram.
  • What is the precise configuration change you made? Again, screenshots will go a long way here.
  • When you say "firewall stopped process all traffic" again what does that mean? Have you done any troubleshooting with tcpdump, fw ctl zdebug, or anything to understand what's going on?

Regardless, I suspect the issue will be resolved by upgrading from R77.30 to a supported release.

Chris_Atkinson
Employee Employee
Employee
‎2022-07-27 08:07 AM
In response to puneetbansal

The issue you mentioned above is resolved in  Take 292 (or higher).

The only constraint that comes to mind otherwise would be if you're attempting to NAT using well know ports where those are daemons on the Firewall itself.

More generic concerns would be the volume of ports available for NAT given a single IP is used.

 

CCSM R77/R80/ELITE
the_rock
Legend
Legend
‎2022-07-27 08:36 AM
In response to puneetbansal

As the guys said, we need way more details. Screenshot, config example, at least something that can help us help you. Without it, we cant really do much, and as you know, TAC will never help you, since its totally unsupported version. @PhoneBoy made excellent point...have you done basic debug, tcpdump, fw monitor?

0 Kudos
mdz
Explorer
‎2024-03-25 08:29 AM
In response to the_rock

Hello Team ,

User want to access the device from Jump server provided public IP mapped to device Management IP private .Could you please help us how to configure NAT which NAT will be better choice hide nat/Auto Nat/Manual NAT .Checkpoint device version is R77.30 .Appreciate your prompt response

 

0 Kudos
_Val_
Admin
Admin
‎2024-03-26 03:08 AM
In response to mdz

R77.30 is out of support for 15 years now. For your case, you need static NAT to an available public IP address.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2024-03-26 03:26 AM
In response to mdz

Why post this here ? This is a very old post and has not much to do with the original issue !

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
Legend
Legend
‎2024-03-26 04:27 AM
In response to mdz

Think of it as port forwarding...say your friend wanted to access your home PC from their place. You would need to add an entry in your home router to forward that traffic, and dst would be whatever internal IP your pc is, so say for rdp port would be 3389

Lets take same example here...lets pretend that somewhere from the Internet, someone has to reach your internal server on port 789

rule would be like this for nat:

original packet:src any, port 789, dst say your external IP 

dst packet: src any, port 789, dst - your internal server

Makes sense?

And yes, R77.30 has been unsupported for ages now,please install at least R81, as even R80.40 will be unsupported next month 🙂

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top