CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 10 of 10

Thread: NAT and Palo Alto

  1. #1
    Join Date
    2005-11-25
    Location
    United States, Southeast
    Posts
    857
    Rep Power
    12

    Default NAT and Palo Alto

    I have observed a Palo Alto do the following:

    Original Source: Any -> Original Destination: Some subnet or IP -> Translated Source: outgoing Interface (or whatever IP you like) [Hide] .. Translated Destination: Original.

    As I'm sure everyone here who's experienced, if you try this in a Check Point, it dies on Verify..

    Who does PhoneBoy need to sleep with to get this functionality into Check Point Firewall-1 ???

    and yes.. an ASA can do this too... and probably IPtables..

    Use Case:

    Publicly Available service; or Extranet service.. but the firewall, or path back to the firewall, is not the default gateway where the server is located.

  2. #2
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    615
    Rep Power
    5

    Default Re: NAT and Palo Alto

    You guys sure have developed a crush for Phoneboy :).

  3. #3
    Join Date
    2007-06-04
    Posts
    3,237
    Rep Power
    15

    Default Re: NAT and Palo Alto

    Create an Address Range for the Source ( that covers the Internet ) rather then leave as Any.

  4. #4
    Join Date
    2006-09-26
    Posts
    3,025
    Rep Power
    15

    Default Re: NAT and Palo Alto

    Quote Originally Posted by alienbaby View Post
    I have observed a Palo Alto do the following:

    Original Source: Any -> Original Destination: Some subnet or IP -> Translated Source: outgoing Interface (or whatever IP you like) [Hide] .. Translated Destination: Original.

    As I'm sure everyone here who's experienced, if you try this in a Check Point, it dies on Verify..

    Who does PhoneBoy need to sleep with to get this functionality into Check Point Firewall-1 ???

    and yes.. an ASA can do this too... and probably IPtables..

    Use Case:

    Publicly Available service; or Extranet service.. but the firewall, or path back to the firewall, is not the default gateway where the server is located.
    What you said is correct on both Palo Alto and Cisco ASA with a caveat: You can use "Any" but you need to associate a "zone" to it.

  5. #5
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,412
    Rep Power
    8

    Default Re: NAT and Palo Alto

    Quote Originally Posted by mcnallym View Post
    Create an Address Range for the Source ( that covers the Internet ) rather then leave as Any.
    I'm Shocked, SHOCKED, well not that shocked, that the OP didn't test this in their lab. I know they have one. ;)
    Last edited by jflemingeds; 2016-10-06 at 16:47.

  6. #6
    Join Date
    2005-11-25
    Location
    United States, Southeast
    Posts
    857
    Rep Power
    12

    Default Re: NAT and Palo Alto

    Having created some of the best hacks known to man, I know a hack when I see one...

    And that's a hack.. logically, if I can do a source of 0.0.0.0/0.0.0.0, then 'Any' should work as well.

    So seriously, Phoneboy needs to work those hips and make some change.
    Last edited by alienbaby; 2016-10-09 at 20:26.

  7. #7
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,369
    Rep Power
    15

    Default Re: NAT and Palo Alto

    That reads like a product defect to me (specifically an issue in policy verification) versus an enhancement that needs to be made.
    Anyone try to take this through TAC?
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  8. #8
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,053
    Rep Power
    12

    Default Re: NAT and Palo Alto

    Quote Originally Posted by cciesec2006 View Post
    What you said is correct on both Palo Alto and Cisco ASA with a caveat: You can use "Any" but you need to associate a "zone" to it.
    Right, and Security Zones are present in R80 management and can be used in NAT policies in this way. However Security Zones are not supported by pre-R80 gateways; without saying too much at this time I think it is pretty clear where Check Point's capabilities in this area are going...
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  9. #9
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,412
    Rep Power
    8

    Default Re: NAT and Palo Alto

    There must be some black magic under the hood for the "any" object. Checkpoint already has a SK saying how to work around this, which has already been covered.

    sk21751

    Also note: "Note: The workaround will not work for Static NAT."

    Funny thing is it looks like R77.30 is missing the verification rule for this.

    sk108278

  10. #10
    Join Date
    2006-03-19
    Location
    Northern Ohio
    Posts
    1,380
    Rep Power
    13

    Default Re: NAT and Palo Alto

    Quote Originally Posted by alienbaby View Post
    ... logically, if I can do a source of 0.0.0.0/0.0.0.0, then 'Any' should work as well.
    Maybe "any" in Source or Destination works like "any" in Service; it doesn't mean "every". Like how X11 is specifically not included in "any" Service.

    Ray

Similar Threads

  1. Forward Networks (Palo Alto, CA) - looking for a Checkpoint Expert (consultant)
    By spacebird in forum Employment/Consulting Opportunities For Check Point Administrators
    Replies: 1
    Last Post: 2015-07-07, 01:30
  2. Palo Alto (Technical and Support point of view)?
    By r_balest in forum Check Point Competitors
    Replies: 1
    Last Post: 2014-07-02, 13:05
  3. Any feedback on Palo Alto's security solution ?
    By TommyBoay in forum Check Point Competitors
    Replies: 2
    Last Post: 2010-02-23, 10:01
  4. Checkpoint going the Palo Alto way ?
    By joeri in forum Other
    Replies: 15
    Last Post: 2009-11-27, 17:57

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •