This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
mhurst
Explorer
‎2020-03-03 07:00 PM

Can't use groups with exclusion in NAT rules in R80?

In R80 can you not use groups with exclusion in NAT rules?

In a ruleset imported from R77 - where it has verified OK for years - am getting multiple verification errors:

Invalid Object 'XXXXX' in Original Source of Address Translation Rule 195. The valid objects are: host, gateway, network, address range and router.

The original source in that rule is a group with exclusion. Is that no longer supported?

0 Kudos
12 Replies
mhurst
Explorer
‎2020-03-03 07:07 PM

The valid objects are: host, gateway, network, address range and router.

Groups are not listed as valid objects at all in that verify message.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-03-03 07:44 PM

This was never formally supported.
The fact that it worked at all in prior releases is considered a bug that has since been fixed.
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
mhurst
Explorer
‎2020-03-03 08:08 PM
In response to PhoneBoy

Thanks for the prompt response.

0 Kudos
mhurst
Explorer
‎2020-03-03 11:12 PM
In response to PhoneBoy

It is unfortunate this was categorised as a bug as it is useful functionality.

Applying a NAT rule to a set of things except for a subset of those things is required sometimes.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-03-04 07:51 AM
In response to mhurst

Understand that it is useful, but you can achieve a similar result with additional "no NAT" rules.
0 Kudos
Lhouse
Explorer
‎2020-03-23 08:15 AM
In response to PhoneBoy

I try this with our VPN addresses to and internal segment of our LAN and after I push policy I can no longer ping the network the destination network...does anyone have thoughts on that.  

0 Kudos
amoruck
Participant
‎2020-11-25 08:25 AM
In response to PhoneBoy

But if you use SmartMove tool (sk97246) for Juniper to Check Point conversion, it will happily create NAT rules using groups with exclusion; I think if you decided it's a bug in one place you should not use it in another as a feature (otherwise this tool is very handy, btw, thanks). 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-11-29 08:26 PM
In response to amoruck

That might be a bug in the SmartMove tool.
Paging @yael_haker 
I'm actually curious now if rules with negated objects in NAT rules works in R81, since we made major changes to the NAT policy in this version.

0 Kudos
Meital_Natanson
Employee
Employee
‎2020-12-03 08:38 AM
In response to PhoneBoy

No. In R81, NAT supports domain objects, security zones, updatable objects, access roles, data centers and hit count.

But not negate objects / group with exclusions.

As you wrote before, it can be achieved using no NAT rule.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2020-12-03 11:25 AM
In response to Meital_Natanson

Hi @Meital_Natanson is there a way to test NAT rule matching from the CLI gateway similar to fw up_execute for the Firewall/Network policy layer?

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Meital_Natanson
Employee
Employee
‎2020-12-08 12:51 AM
In response to Timothy_Hall

@Timothy_Hall  - no such option.

0 Kudos
Ofir_Shikolski
Employee Alumnus
Employee Alumnus
‎2020-12-09 02:59 AM
In response to amoruck

If there are issues with SmartMove - please contact us at sc@checkpoint.com

We will appreciate to get a copy of the config file in order to address this issue 

0 Kudos
Upcoming Events

    Sort by:
    CheckMates Events