Quote:
Originally Posted by kj1978  Barry,
Many thanks for your reply.
I tend to think that following processing order is correct :
1.Anti spoofing checks
2. "First" implicit rules
3.Explicit rules (except for the final rule)
4."Before last" implicit rules
5. Last explicit rule (cleanup rule)
6. "Last" implicit rule
7. Network address translation
From a practical experience, The reason for this is as follows :
I have a host 10.1.1.1 which needs to talk to a host 203.90.1.1 over internet.
In the checkpoint rulebase, i have following:
Source Destination service install on
10.1.1.1 203.90.1.1 http/https gateway
In the NAT rulebase i have following :
Original Packet Translated Packet
Source Destination service source Destination install on
10.1.1.1 203.90.1.1 any 57.67.2.1 203.90.1.1 gateway
This is working fine for me and hence based on this, it seems obvious that explicit and/or implicit rules are being processed before NAT rules.
Let me know what you think ? If you are aware of any scenarios where NAT rules are processed before implicit/explicit rules, please do let me know.
Thanks again for your time.
Regards
KJ |
When it comes to NAT, there are some special things to consider, including:
1. Automatic and Manual NAT rules can behave differently.
2. Different versions of Firewall-1/VPN-1 over the years have different default ways of handling NAT (that whole thing about "translate destination on the client side"), so it matters if you've done a fresh installation or merely upgraded over the years.
3. There may or may not still be some configurations where NAT (Static, Manual?) may have some weirdness with Anti-Spoof checking.
I'll bet that in the current CCSE+ student handbook or in the manuals (particularly about FW Monitor) you could nail down the definitive answer.
I may research it and get it totally figured out for a presentation at our next conference.