This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
dede79
Contributor
‎2024-03-01 02:50 AM

PBR and nat

Hello,

I try to find an alternative for isp redundancy with pbr.

sk167135 nearly describes that but for some reason here the internal network has a public-ip network and so there is no need to talk about hide-nat. I tested pbr so far but selecting hide-behind-gateway always uses the interface ip with the default route is used.

Thanks

0 Kudos
6 Replies
Lesley
Mentor Mentor
Mentor
‎2024-03-01 03:58 AM

Use instead of hide behind gateway option the VIP ip of the outgoing interfaces.

I think you now use automatic NAT, try to make static NAT rule and force it to use correct external IP

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
AmirArama
Employee
Employee
‎2024-03-03 08:14 AM

Hi

what exactly are you trying to accomplish? going out from specific ISP, without NAT? 

so just don't enable NAT on this network object.

if I didn't understand, please elaborate a bit more.

Thanks

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2024-03-03 03:06 PM

Did you try configuring your NAT manually?

Dummy object for the NAT with 0.0.0.0 or using Zones may help, but PBR and NAT has some limitations.

Maybe also explore Quantum SD-WAN with your local SE to see if it can help you?

CCSM R77/R80/ELITE
0 Kudos
dede79
Contributor
‎2024-03-03 11:47 PM
In response to Chris_Atkinson

How can I use manuel nat behind Interface upon failover? Alternative for ISP redundancy would require a NAT konfig that works no matter pbr route is active (--> ISP1)  or it is down --> (ISP2)  -  (track pbr routes with monitored IPs)

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2024-03-03 11:54 PM
In response to dede79

As above historically you could use a host object 0.0.0.0 and it would pick the IP of the outbound interface.

Theoretically you could also assign a different zone to each interface and hence different NAT rules could be specified if needed.

CCSM R77/R80/ELITE
0 Kudos
Lesley
Mentor Mentor
Mentor
‎2024-03-04 11:30 AM
In response to dede79

You cannot mix PBR and ISP redundancy: 

https://support.checkpoint.com/results/sk/sk167135

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top