Who rated this post

Here are detailed answers to your questions about NAT and ISP Redundancy in Load Sharing mode on Check Point firewalls:

1. How does NAT function in Load Sharing mode?

• Hide NAT: When using ISP Redundancy in Load Sharing mode, outgoing traffic is distributed between the ISP links according to the configured weights. Hide NAT is typically set to "Hide behind Gateway," which means the source address of outgoing packets is translated to the address of the interface through which the packet leaves the Security Gateway.
• This ensures that return packets are routed back through the correct ISP link, as the NATed source matches the egress interface.

2. Does the firewall apply Hide NAT based on the active ISP interface for each connection?

• Yes. The firewall applies Hide NAT based on the interface used for each connection. Each outgoing connection is NATed to the IP address of the interface it uses to exit the gateway. This is essential for correct routing of return traffic.

3. Are static NAT rules ignored in this mode?

• No, static NAT rules are not ignored. Static NAT is still supported and required for incoming connections (e.g., for servers accessible from the Internet). For each server, you typically assign a public IP from each ISP and configure static NAT rules accordingly.
• For outgoing connections, Hide NAT is most commonly used, but static NAT can be applied if specifically configured.

4. Is it possible to use a SNAT Pool with ISP Redundancy in Load Sharing mode?

• Not natively in the same way as some other vendors. By default, Check Point's "Hide behind Gateway" will use the interface IP for NAT. However, you can achieve a similar effect (using a pool of public IPs) by using manual NAT rules and dynamic objects, but this requires advanced configuration and scripting.
• See SK174197 for an example of using dynamic objects and scripts to switch Hide NAT pools during failover (primarily documented for Primary/Backup mode, but similar logic can be adapted).

5. Can I configure a pool of public IPs for outgoing connections, ensuring that traffic is NATed to the appropriate public IP based on the active ISP link?

• By default, no. Outgoing connections are NATed to the interface IP of the egress ISP link.
• Workaround: You can manually configure NAT rules to use specific public IPs (from a pool) for different internal networks or hosts. This can be done using manual NAT rules and dynamic objects, but it is not as seamless as "SNAT Pool" features in some other firewalls.
• For advanced scenarios (e.g., using a pool of IPs per ISP and switching them during failover), you would need to use custom scripts and dynamic objects as described in SK174197.

References & Best Practices

• For most deployments, "Hide behind Gateway" is sufficient and recommended for outgoing traffic.
• For incoming connections, assign a public IP per ISP and configure static NAT.
• For advanced NAT pool requirements, consult the following:
  • SK174197: How to configure Hide NAT for different IP Address Ranges to work with ISP Redundancy in the Primary/Backup mode
  • SK34812: ISP Redundancy configuration

Summary Table

If you need step-by-step guidance for a specific advanced NAT pool scenario, let me know your exact requirements and I can provide more detailed instructions!