cezar varlan

NAT Rules and fw tab

Discussion created by cezar varlan on Dec 7, 2017

I have been looking for a way to find out what NAT rules are actually happening on a specific gateway. 

Of course there is the Smart Dashboard where you could go into policy and search for NAT rules then see the names of each object and double click in order to find out the Hide/Static NAT IP etc. But how would you do this for 10000 Objects? There is also probably the option to use DBEDIT or even API (R80+). 

 

I have been looking over fw tab tables.

Started off from this post: fw ctl or checkpoint tables by any other name – yurisk.info 

Looks like Check Point does not provide any explanation for most of the tables - not public at least.

 

I made a really long one liner to list all the table, convert into decimal (-f does not work for this particular table) and tried to add a table "header" section but i can't make any sense of the contents. I know each rule lists two lines, depending if it's inbound or outbound NAT. Does anyone know of what each column represents? There is a total of 13 columns

 

Actual source 

 

localhost:
-------- NAT_rules --------
static, id 1026
root@ubuntu:/home/notroot# cat natold.txt | head -7
localhost:
-------- NAT_rules --------
static, id 1026
<00000000, 00000000; fffffffe, fffffffe, ff000001, 00000000, 00000000, 00000000, 00000000, 0a99903e, 00000000, 00000000, 00000000>
<00000000, 00000001; ff010202, 00000000, 0c099479, 0c999479, 00000000, 0c999479, 00000000, 00000000, 00000000, 00000060, 00000000>
<00000001, 00000000; fffffffe, fffffffe, ff000001, 00000000, 00000000, 00000000, 00000000, 899506fe, 00000000, 00000000, 00000000>
<00000001, 00000001; ff099202, 00000000, 0c999479, 0c999479, 00000000, 0c0b9999, 00000000, 00000000, 00000000, 00000060, 00000000>

 

So here goes:

 

fw tab -t NAT_rules -u | awk '{print " " $1 " " $5 " " $6 " " $7 " " $8 " " $10}' | sed s'/.$//' | sed 's/../& /g' | awk 'BEGIN{IFS=OFS="\t"}NR==1{print $0}{for(i=1;i<=NF;i++) if(i!=NF){printf "%s%c",strtonum("0x"$i),"."}else{printf "%d\n",strtonum("0x"$i)}}' | awk 'BEGIN{FS=".";OFS="\t";n=5;printf "%-4s %-18s %-23s %-23s %-23s %s\n","Key","IP1","IP2","OSOURCE1","OSOURCE2","FinalDEST"}NR>=5{printf "%-4s %s.%s.%s.%-5s\t", $5,$7,$8,$9,$10; printf "%s.%s.%s.%-10s\t",$12,$13,$14,$15; printf "%s.%s.%s.%-11s\t",$17,$18,$19,$20; printf "%s.%s.%s.%-11s\t",$22,$23,$24,$25; printf "%s.%s.%s.%s",$27,$28,$29,$30; printf "\n";}'

 

Output would look like this:

 

Key       IP1                IP2                OSOURCE1       OSOURCE2       FinalDEST
43         255.0.0.2       0.0.0.0           192.168.31.15   192.168.31.15     203.0.13.15

43         0.0.0.0           0.0.0.0            0.0.0.0                0.0.0.0                0.0.0.0

44         0.0.0.0           0.0.0.0            0.0.0.0                0.0.0.0                0.0.0.0
44         203.0.13.15   203.0.13.15    0.0.0.0               192.168.31.15     0.0.0.0

 

Note: both internal and external IPs are *bogons* for the purpose of this post

Outcomes