[jsond]

I would think it is Automatic NAT rules.

The setting to allow bi-directional NAT is under the Automatic NAT rules section in the NAT tab of global properties. Under the manual NAT section it does not have any option for bidirectional NAT rules. The Syngress configuring Checkpoint NGX states the following:

"..In essence, the bidirectional NAT lets a connection match 2 NAT rules. Normally the NAT rule base only permits one match and then subsequently exits the process. In the case of bidirectional NAT, if the source match is an Automatic NAT rule, the gateway continues to traverse the NAT rules to identify if there is a destination rule match. If the gateway finds a second match, it applies both NAT rules to the connection so that the packet it routed properly between source and destination."

"If bidirectional NAT is enabled, improperly placed manual rules may negate such connections. If a manual NAT matches a connection, it will exit the NAT rule base immediately. Only when the first match is an automatic NAT does the gateway continue to inspect the remainder of the rule base for the subsequent match."


Again, I do not have a ton of experience with checkpoint and even less with NAT. This is just the way it was written in the NAT chapter of the book I am studying with, and is similar to the 1st explanation in your post. So this could be incorrect but thought it might help.