CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 10 of 10

Thread: Hide NAT Address Range

  1. #1
    Join Date
    2015-06-23
    Posts
    11
    Rep Power
    0

    Default Hide NAT Address Range

    We are going to be directing all of our internet traffic through our pair of CheckPoint IP Appliances running R77.10 in a VRRP configuration. We currently run our internet traffic through a different firewall vendor that allows us to hide our traffic behind 2 IPs due to the amount of TCP connections and PAT pool exhaustion. I have been reading (some on CPUG) that CheckPoint may or may not be able to accomplish this type of NAT hide of many to fewer. Some of the things I read say CheckPoint does not have this ability. I also have read that it is not documented by CheckPoint but it is possible to hide behind address range. I have also talked with CheckPoint TAC and have had differing responses to this question too.

    Our proposed setup would be a manual NAT statement with the translated source set to an address range object that has 2 IPs and the translation method for the object set to Hide.

    Has anyone had experience with this type of setup and if so what type of experience, good or bad? I would like to try to avoid having to define all of our networks on the firewall and put them into groups and have each group hide behind its own external IP.

    Thanks in advance for feedback.

  2. #2
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,469
    Rep Power
    15

    Default Re: Hide NAT Address Range

    This has been supported for a while, however it does have some limitations.
    I'd start with sk76800.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  3. #3
    Join Date
    2015-06-23
    Posts
    11
    Rep Power
    0

    Default Re: Hide NAT Address Range

    Thanks for reply and the sk76800. These firewalls are not running CoreXL. According to that secure knowledge document since we do not have CoreXL enabled IP Pool NAT should be supported, is my understanding correct? The firewalls do have SecureXL on. Does SecureXL present any potential problems with the NAT hide to address range?

  4. #4
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,469
    Rep Power
    15

    Default Re: Hide NAT Address Range

    As long as you're on a current version of code, yes.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  5. #5
    Join Date
    2006-02-02
    Location
    Czech Republic
    Posts
    42
    Rep Power
    0

    Default Re: Hide NAT Address Range

    Quote Originally Posted by PhoneBoy View Post
    ... I'd start with sk76800.
    The article describes IP pool NAT but it is not the same thing as hide NAT. As far as I know the IP pool NAT does not translate source ports. (It cannot be used to hide multiple IP addresses behind one IP at a single moment.)

    In fact it is possible to find a mention of hide NAT behind an IP range object in sk105302 but this is the only reference in Check Point materials I was able to find! From a preliminary test this seems to work.
    I would be glad if you can find additional information about this functionality.
    In this forum I have found: https://www.cpug.org/forums/showthre...public-service

    Fasteddye, do you have some experience with hide NAT behind an IP range now?
    Last edited by pabouk; 2018-01-03 at 22:36.

  6. #6
    Join Date
    2014-09-02
    Posts
    339
    Rep Power
    10

    Default Re: Hide NAT Address Range

    Correct, IP Pool NAT is not the same thing. Historically, prior to Office Mode, IP Pool NAT was commonly employed for remote users - giving each one's inbound traffic a unique source IP address from a defined range (or network). The other goal was to make sure their traffic on the internal network was sourced from a range that could be return-routed to the firewall (and not their home IP Address). This was, of course, superseded by Office Mode. This had no need or desire to translate ports, as each address in the pool was allocated to an individual user. The references SK (sk76800) seems to have just confirmed that support for IP Pool NAT was included in ClusterXL as of R75.40.

    Your timing in asking this is pretty funny. I've been reviewing the second edition of Tim Hall's MaxPowerFirewalls book (available soon), and he refers to (and confirms) exactly this feature, as does the article you mentioned (sk105302). That SK is originally dated 2015 and specifies "All" versions (which I question).

    I just did a [very limited] test as well (mostly just to see it for myself). Ultimately, it appears that you can indeed manually hide-NAT a network behind a smaller "address range" as a source.

    -E
    Last edited by EricAnderson; 2018-01-04 at 00:21.

  7. #7
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,192
    Rep Power
    13

    Default Re: Hide NAT Address Range

    Quote Originally Posted by EricAnderson View Post
    Correct, IP Pool NAT is not the same thing. Historically, prior to Office Mode, IP Pool NAT was commonly employed for remote users - giving each one's inbound traffic a unique source IP address from a defined range (or network). The other goal was to make sure their traffic on the internal network was sourced from a range that could be return-routed to the firewall (and not their home IP Address). This was, of course, superseded by Office Mode. This had no need or desire to translate ports, as each address in the pool was allocated to an individual user. The references SK (sk76800) seems to have just confirmed that support for IP Pool NAT was included in ClusterXL as of R75.40.

    Your timing in asking this is pretty funny. I've been reviewing the second edition of Tim Hall's MaxPowerFirewalls book (available soon), and he refers to (and confirms) exactly this feature, as does the article you mentioned (sk105302). That SK is originally dated 2015 and specifies "All" versions (which I question).

    I just did a [very limited] test as well (mostly just to see it for myself). Ultimately, it appears that you can indeed manually hide-NAT a network behind a smaller "address range" as a source.

    -E
    Yes what I call a "many to fewer" Hide NAT has been possible since R75, and is presented in my new book in the context of avoiding the 50k concurrent connection limit through a single Hide NAT address. When this 50k limit per single Hide NAT address is exceeded it manifests itself as terrible performance (particularly with HTTP) as some connections succeed and some fail.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  8. #8
    Join Date
    2006-09-26
    Posts
    3,134
    Rep Power
    15

    Default Re: Hide NAT Address Range

    Quote Originally Posted by ShadowPeak.com View Post
    Yes what I call a "many to fewer" Hide NAT has been possible since R75, and is presented in my new book in the context of avoiding the 50k concurrent connection limit through a single Hide NAT address. When this 50k limit per single Hide NAT address is exceeded it manifests itself as terrible performance (particularly with HTTP) as some connections succeed and some fail.
    I think your comment about "50k concurrent connection limit through a single Hide NAT address" is somewhat misleading.

    You will not be able to get 50k connections through a single Hide NAT address due to CoreXL. The more number of CoreXL you have on the gateways, the less concurrent connections you will get through a single Hide NAT address. Even with the workaround provided by Checkpoint, it still does NOT work most of the times.

    Just be aware about Hide NAT when you have gateways with lot of CoreXL

  9. #9
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,192
    Rep Power
    13

    Default Re: Hide NAT Address Range

    Quote Originally Posted by cciesec2006 View Post
    I think your comment about "50k concurrent connection limit through a single Hide NAT address" is somewhat misleading.

    You will not be able to get 50k connections through a single Hide NAT address due to CoreXL. The more number of CoreXL you have on the gateways, the less concurrent connections you will get through a single Hide NAT address. Even with the workaround provided by Checkpoint, it still does NOT work most of the times.

    Just be aware about Hide NAT when you have gateways with lot of CoreXL
    I believe you are referring to the static pre-allocation of available Hide NAT ports amongst the various CoreXL Firewall Workers. Quoted from the second edition of my book:

    However R77.30 has an available built-in fix for the Hide NAT port allocation failures that are much more likely to occur when SMT/Hyperthreading is enabled. Ports used for Hide NAT source port reallocation can be dynamically pooled among the Firewall Worker cores, instead of being statically assigned. This new feature is not enabled by default in R77.30 and earlier. It involves setting the fwx_nat_dynamic_port_allocation variable from 0 to 1, which will dynamically pool source ports among all Firewall Worker cores. See sk103656: Dynamic NAT port allocation feature for instructions to set this variable on an R77.30 firewall.

    In R80.10 gateway (whether upgraded from R77.XX or loaded from scratch) if there are 6 or more Firewall Worker cores configured, by default the fwx_nat_dynamic_port_allocation variable will be automatically set to 1, otherwise it will remain set to 0.
    If it is not that, you may be thinking of the Extra/Global NAT ports from 60001-65000 (sk69480), used for functions that CoreXL does not completely support (like VoIP) that must be processed only on the lead Firewall Worker core. Definitely an issue in R77.30 as described in the SK but fixed in R80.10 along with a lot of other limitations.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  10. #10
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,469
    Rep Power
    15

    Default Re: Hide NAT Address Range

    Quote Originally Posted by ShadowPeak.com View Post
    Yes what I call a "many to fewer" Hide NAT has been possible since R75
    I seem to recall this feature being available (perhaps in "customer releases") as far back as R65.
    That said, it was definitely not a SecureXL-friendly feature in those days.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

Similar Threads

  1. Address Range option Missing from Chevkpoint R75.20
    By Kevin_27 in forum Miscellaneous
    Replies: 2
    Last Post: 2011-12-20, 04:07
  2. How to hide network object behind another network address pool
    By 007me in forum NAT (Network Address Translation)
    Replies: 7
    Last Post: 2011-04-18, 08:09
  3. Defining network or address range in crypt.def?
    By smoengen in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2011-03-07, 03:50
  4. Wrong address used on outgoing hide-nat (cluster)
    By DerGolo in forum NAT (Network Address Translation)
    Replies: 9
    Last Post: 2009-10-26, 06:56
  5. Nokia cluster hide NATs to physical address
    By bod43 in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 5
    Last Post: 2008-05-14, 11:12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •