This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Bill_Ng
Collaborator
‎2018-12-12 05:38 AM

Office 365

Hi all,

We are planning to spin up more services to Office 365 in the near future.  There have been several questions our O365 team has concerning the outbound browsing FW.    

Questions:

We use a single outbound browsing NAT and the concern is the number of ports used on that single address could be exhausted.  Will this be a problem for O365?  Microsoft recommended to have multiple outbound NATs to mitigate this.  Are multiple outbound NATs possible?  I thought I read somewhere that if the Destinations are different then you would get sets of ports for each destination IPs.

Is there a way to monitor or get an idea of current number of ports being used by our single overloaded NAT?

Is there a way to get any type of reporting around Office 365 traffic outbound?

Any suggestions, links, articles are welcomed.

Thanks in Advance,

Bill

5 Replies
Nüüül
Advisor
‎2018-12-12 01:43 PM

Hi,

i remember there was a document with recommendations for x to y users to use one or more hide NAT addresses, as there may be about 20-40 sessions opened per user. 

Will check and post it here soon.

if I remember correct, I.e. for more than 1000 users they recommended more IPs.

Edit:

there it is: 

https://docs.microsoft.com/en-us/office365/enterprise/nat-support-with-office-365

0 Kudos
Bill_Ng
Collaborator
‎2018-12-13 04:22 AM
In response to Nüüül

Thanks Daniel.  We would have more than a 1000 users easily.  Could a NAT pool to replace our hidden NAT?

0 Kudos
Nüüül
Advisor
‎2018-12-13 04:38 AM
In response to Bill_Ng

Yes, NAT Pool would be an idea.

Or a dedicated NAT Rule for O365, when on R80.20 using the updateble objects as Destination and Natting to one dedicated IP for O365

when on R80.10 you might want to use the script described here:

https://community.checkpoint.com/docs/DOC-3013 

for getting Firewall Objects for O365 on  Checkpoint.

0 Kudos
Bill_Ng
Collaborator
‎2018-12-13 07:48 AM
In response to Nüüül

just to clarify.  The NATs could look like one of the rules below or even a combo.

0 Kudos
Nüüül
Advisor
‎2018-12-13 07:55 AM
In response to Bill_Ng

You should set the office rule above the other.

Viele Gr??e

Daniel Meier

//Sent Mobile with Check Point Secure Workspace

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top