This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AleLovaz82
Collaborator
Collaborator
‎2024-10-31 08:55 AM

Optimize NAT : merge two gateway into a new third one

Hi

I have this situation

Two cluster ,but thread them as GW , GW-A on Domain A and GW-B on Domain B ( I have a multi domain environment )
There is a lot of traffic between public network managed by each one and also FROM INTERNET.

GW A on Domain A

I have a lot of traffic to network managed by GW B that match this nat hide done on GW A

SRC ANY
DST ANY ( it means only public destination,over internet )
SERVICE ANY

SRCxlate PublicIP-Network-A
DSTxlate Original
SERVICExlate Original

(basically a simple nat hide behind a public ip )

When the packet comes to GW B ,on Domain B ,it match this basic *destination static nat*

SRC ANY
DST PublicIP-Network-B
SERVICE https

SRCxlate Original
DSTlate PrivateIP-Network-B
SERVICExlate Original

 

When i'll merge this two gateway on GW C I need both the NAT above  for the traffic to and from Internet and a third one like for the traffic that is generated and directed to public network managed by GW C

SRC ANY
DST PublicIP-Network-B
SERVICE https
SRCxlate PublicIP-Network-A
DSTxlate PrivateIP-Network-B
SERVICExlate https

Because its seems from my test that Checkpoint is not able to match two different nat rule.
This is a tested "workaround" and work,but during the merging of the policy and nat i'll to configure A LOT ( hundreds...) of manual nat like the last one because we have a huge number of public network that do this kinf of traffic between sites.

Is there any smart way to do it ?

0 Kudos
1 Reply
PhoneBoy
Admin
Admin
‎2024-11-01 07:59 AM

Correct, only one NAT rule is matched per connection.
Which means you'll have to adjust your rules according to the new configuration.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events