This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Muazzam
Contributor
Contributor
‎2023-10-24 05:36 AM

No change in firewall policy upon re-ordering NAT rules.

Hardware: 23500
Version: R81.10 Take 66 (both Gateway and Mgmt)

Summary: NAT rules were re-ordered. There was a hide NAT rule that is moved under 4 static NAT rules. No other changes made to the policy. Publish and push the policy. Found out that the firewall is using the old order of NAT rules. FW stat shows the correct time of policy push that was completed without any errors or warnings. The "rules.C' was showing the last modified date of the previous install not the last install (after re-ordering). Note that all ojects used in all the related NAT rules are local objects, not Global.

It was decided to disable all the relevant static and hide NAT rules (total of 5 rules), re-create the new rules above the disabled rules. After the policy is pushed, the correct order of rules took place and the rules.C file shows the last modified date.

Question is - why in first place a new policy not compiled or what causes where the new set of rules were ignored. Does the rule re-ordering warrant a new policy? Anyone else has similar experience, please share.

 

0 Kudos
4 Replies
Lloyd_Braun
Collaborator
‎2023-10-24 08:19 AM

Are you sure that a new connection was established after the NAT policy was updated?  I had a NAT rule that seemed 'stuck' when I changed the NAT on a GRE connection.  Ended up having to 'fw tab -x' delete it from the fw connections table to get the connection to match the updated NAT rule. 

0 Kudos
Muazzam
Contributor
Contributor
‎2023-10-24 08:44 AM
In response to Lloyd_Braun

Yes, we have a new traffic that uses the old set of rules.

Also, on the first re-order of NAT rules (where we have no update to policy), we searched some of the NAT rules UID's and they were not found in the "rules.C" file. After the second change (disable and re-create) the rules.C file get updated and I see all the new UID's in the file.

 

the_rock
Legend
Legend
‎2023-10-24 08:53 AM
In response to Muazzam

Sounds like it might be worth a TAC case.

Andy

0 Kudos
Muazzam
Contributor
Contributor
‎2023-10-24 10:04 AM
In response to the_rock

TAC case already opened and under investigation. I was wondering if anyone has the same experience.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events