Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
mhurst
Explorer

Can't use groups with exclusion in NAT rules in R80?

In R80 can you not use groups with exclusion in NAT rules?

In a ruleset imported from R77 - where it has verified OK for years - am getting multiple verification errors:

Invalid Object 'XXXXX' in Original Source of Address Translation Rule 195. The valid objects are: host, gateway, network, address range and router.

The original source in that rule is a group with exclusion. Is that no longer supported?

0 Kudos
Reply
12 Replies
mhurst
Explorer

The valid objects are: host, gateway, network, address range and router.

Groups are not listed as valid objects at all in that verify message.

0 Kudos
Reply
PhoneBoy
Admin
Admin

This was never formally supported.
The fact that it worked at all in prior releases is considered a bug that has since been fixed.
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
0 Kudos
Reply
mhurst
Explorer

Thanks for the prompt response.

0 Kudos
Reply
mhurst
Explorer

It is unfortunate this was categorised as a bug as it is useful functionality.

Applying a NAT rule to a set of things except for a subset of those things is required sometimes.

0 Kudos
Reply
PhoneBoy
Admin
Admin

Understand that it is useful, but you can achieve a similar result with additional "no NAT" rules.
0 Kudos
Reply
Lhouse
Explorer

I try this with our VPN addresses to and internal segment of our LAN and after I push policy I can no longer ping the network the destination network...does anyone have thoughts on that.  

0 Kudos
Reply
amoruck
Explorer

But if you use SmartMove tool (sk97246) for Juniper to Check Point conversion, it will happily create NAT rules using groups with exclusion; I think if you decided it's a bug in one place you should not use it in another as a feature (otherwise this tool is very handy, btw, thanks). 

0 Kudos
Reply
PhoneBoy
Admin
Admin

That might be a bug in the SmartMove tool.
Paging @yael_haker 
I'm actually curious now if rules with negated objects in NAT rules works in R81, since we made major changes to the NAT policy in this version.

0 Kudos
Reply
Meital_Natanson
Employee
Employee

No. In R81, NAT supports domain objects, security zones, updatable objects, access roles, data centers and hit count.

But not negate objects / group with exclusions.

As you wrote before, it can be achieved using no NAT rule.

0 Kudos
Reply
Timothy_Hall
Champion
Champion

Hi @Meital_Natanson is there a way to test NAT rule matching from the CLI gateway similar to fw up_execute for the Firewall/Network policy layer?

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Reply
Meital_Natanson
Employee
Employee

@Timothy_Hall  - no such option.

0 Kudos
Reply
Ofir_Shikolski
Employee
Employee

If there are issues with SmartMove - please contact us at sc@checkpoint.com

We will appreciate to get a copy of the config file in order to address this issue 

0 Kudos
Reply