while looking for some information related to checkpoint came across your channel. I started from part-2, and buddy its WoW. Loving your tutorial which is definitely going to help lots of people. Am planning to go through your checkpoint series. Keep up the good work
Thank you for the kind words. Really appreciate the feedback and its fun to see that you guys seams to like it. Hope you like the serie and good luck in any certification journey!
This is the best Checkpoint NAT explanation on TH-cam so far, i like the way you presents very educational clear and precise language waiting for next video :)
Thank you :) congrats to your CCSA! We still have a bounch of things to cover within the smartconsole. We haven’t even started with the funny stuff yet :D
Yes, you explained very well about the NAT concept and how does it work in Checkpoint software. I really appreciate for your efforts, you have been putting to making such a good videos for public. Thankyou so much for knowledge sharing.
Girjesh Sharma thank you for watching and commenting :) My plan for the next video (it will come in a few days) is to talk about the 3 diff types of logs within check point. Smartlog, auditlog and messages file.
Hi Magnus, Thanks a lot for the extraordinary video. At 07:28, you've explained about the 'Link Networks' to the routers to bypass proxy ARP config manually for manual NAT. Can you please brief what you meant by 'Link Networks' ?
What am refering to is that you have a dedicated linknetwork such as a /29 between your firewall and the Router. Then you route the rest of your IP addresses within the router to the firewall. So the router knows that all of those IP addresses are behind the firewall. Instead of having like an /24 between the firewall and router and using part of that /24 to servers or similar. And expect the firewall to respond on ARP when the router question who has these and this ip on the network its directly connected to. ie. Server /24
@@MagnusHolmberg-NetSec Thanks for the reply. Typically, when the traffic is received on the firewall, it'll send its MAC address on behalf of the back-end application/server. Since router is pointing the advertised NAT subnet to firewall, here no proxy-ARP happens or what is the traffic flow..? Can you please brief. Thanks.
@@srinivasann62 proxy arp is not in that traffic flow, if I understand you correctly. Proxy arp is needed when, let’s say Your firewall and router connect to each other. And you using a /28 network between them. And you do expect the firewall to be able to send out traffic not only sourcing from its ip 1-3 (cluster xl + the nodes) but also like ip 4-6 and the router have .7-9 Or if same if you expect the firewall to respond on arp request from the router, who has IP 4-6 if these are used for dmz servers or similar. This works by default when using automatic nat, but if you use manual nat you do need proxy arp (sk30197) However if you route the ip 4-6 towards let’s say .1 (clusterxl ip) this is not needed to configure proxy arp. But I think it’s not a pretty solution that why I use dedicated link network between boxes and then route the prefix instead. Cleaner and nicer.
@@MagnusHolmberg-NetSec Yes 100% I agreed with you, check point will be on the top of comprehensive security solutions, but they should focus on [middle east] because it is not familiar here.
Hello Magnus--Let say we have to create lots of manual NAT ..in same time we hae to create ARP same ARP entry in firewall..to avoid you mentioned link router. Please explain this
I would avoid using static arp entry. I would route in the NAT addresses so the static arp is not needed. I have zero installations (over 300 firewalls) where we use static arp because it’s a pain in the butt.
Taro Manga thank you, am working on some lab videos. Installing mgmt and gateway cluster from scratch in VMware workstation Hopefully u guys will like it :) More or less thinking if I should edit away my mistakes or keep them as live troubleshooting.
i think you will need to watch the video again, But in general HIDE nat is many behind 1 IP, meaning you can put it on multiple network and host object and it will hide all of them behind the gateways IP. Static is a 1 to 1 nat, IE a DMZ server or similar that should be exposed on the internet.
Thanks for this good video! i have quation please: to connect the private network to the internet, I probably need Hide NAT but what do I need to put in Translated Source. I need to put the external interface object of the checkpoint?
If you use hide nat on the object you don’t need to do any manual nat. (This would be an automated nat) If you do manual nat with hide nat you would need to put the external IP you want for that hide nat on translated source. You could also put the firewall object in the translated source but personally I put the specific IP as a nat object instead so it really dose what I want :)
other doubt let say we have two ISP Primary (80.80.80.80) and backup.(90.90.90.90) we already created manual static NAT and translating to Primary ISP IP and in any case primary ISP goes down then how static NAT will work .
Would suggest to check the video I made about ISP redundancy as it involves a lot more then just NAT. If you do have PI addresses then it would be no diff as you would need to announce your network to both ISP. But if you are not having PI it’s a complete diff thing and backup isp would never announce primary isp ips and it would not work. (And the reason why it would not work has nothing to do with checkpoint, just to make that clear :) )
Why do you need to add NAT entry for 10.10.10.0/24 destination 10.10.10.0/24 when in the first place this will not even routed and hit the Firewall since they are in the same broadcast domain?
Its not really needed so to say, but this was added during the automated NAT. Am guessing its a way to highlight it in the NAT rulebase. Normally you do add some group containing all local networks and make a no nat with localnet to localnet
Hi Magnus. Watching the video, I am left without clarifying a doubt. Could you explain the difference between the Translation Method, between the HIDE and the STATIC? When should one apply one over the other? If your desire is to get something to the INTERNET, which one would you apply? Thank you very much. :)
Hi, Static = 1 to 1 NAT. Normal usage is when you want to put a server in a DMZ and have a service accessible on internet. In this case traffic could start from Internet and go in to the server. Hide NAT = Many to 1 Normal usage, hide nat client networks behind a single IP for websurfing. In this case the traffic must start from inside the network and go out.
Magnus. Thanks for all help with Check Point NAT configuration. I'm having a NAT issue and hope you can help me. My check point cluster has two external interfaces. Existing internet traffic is on a hide NAT behind address 204.1.1.1 , and a default route to 204.1.1.2 . I created a NEW external interface 50.1.1.1 (50.1.1.0/24 network) and connected it to our secondary internet connection at 50.1.1.2 . If I static NAT a host to 50.1.1.50/24 traffic still leaves the firewall from the physical interface connected to 204.1.1.1. Any ideas?
How are you routing between the 2 external interfaces, how is the decition on what interface to take? Meaning how is the routing setup Secondly NAT rules are based on what order they are in. The first rule that hits will be in use. My recommendation is always to use linknetworks like /29 toward the firewall. And then route the rest of the public IP addresses. Because this helps for announcing the ip correctly, automatic NAT announce the ip addresses by default via gratuitous arp Manual nat do not. This means that you need to create a file for it and I think it’s a big hassle just. sk30197
We use BGP and that seems to work fine. If we use /28 bit ranges for the firewall interfaces ... how do I use my /25 bit allocation of public IPs for static NATs? I thought to firewall needed a interface directly on that network to do the NATs. If I move the public IP address range, do I move it to a router inside or outside the firewall?
@@jasonmaiolo6471 the firewall do not need any interface for IP addresses used for nat. Meaning you can have Router1 - Linknetwork /29 - Firewall In case of static routing then router1 you route x.x.x.x/X towards the firewall IP (cluster ip or similar) Then you can use these in NAT. Benefit of doing this is that you dont need to do a local arp file even if doing static NAT. Now when you are using BGP then you do need to announce the prefix as its no longer a directly connected interface you need to specify it, check the advance routing guide for the specific command :) (i think you need to do a route map.)
@@jasonmaiolo6471 They only needed to be routed to your firewall. They don’t need to be anywhere else. No need for any interface if you planning to use it as NAT ip.
@@MagnusHolmberg-NetSec The use of one or another NAT method (NAT MANUAL, or NAT AUTOMATIC), you would say that the use will depend on the ADMINISTRATOR'S taste? Sometimes in productive environments, it is somewhat tedious to find out if the NAT that you find in the logs, was created manually or automatically.
while looking for some information related to checkpoint came across your channel. I started from part-2, and buddy its WoW. Loving your tutorial which is definitely going to help lots of people. Am planning to go through your checkpoint series. Keep up the good work
Thank you for the kind words.
Really appreciate the feedback and its fun to see that you guys seams to like it.
Hope you like the serie and good luck in any certification journey!
This is the best Checkpoint NAT explanation on TH-cam so far, i like the way you presents very educational clear and precise language waiting for next video :)
Thank you :) congrats to your CCSA! We still have a bounch of things to cover within the smartconsole. We haven’t even started with the funny stuff yet :D
Thanks Magnus :) Appreciated for good works .
fantastic explanation, kept the presentation to the point and simple..Thank you
You are welcome!
Yes, you explained very well about the NAT concept and how does it work in Checkpoint software. I really appreciate for your efforts, you have been putting to making such a good videos for public. Thankyou so much for knowledge sharing.
Girjesh Sharma thank you for watching and commenting :)
My plan for the next video (it will come in a few days) is to talk about the 3 diff types of logs within check point.
Smartlog, auditlog and messages file.
Hi Magnus, Thanks a lot for the extraordinary video. At 07:28, you've explained about the 'Link Networks' to the routers to bypass proxy ARP config manually for manual NAT. Can you please brief what you meant by 'Link Networks' ?
What am refering to is that you have a dedicated linknetwork such as a /29 between your firewall and the Router.
Then you route the rest of your IP addresses within the router to the firewall.
So the router knows that all of those IP addresses are behind the firewall.
Instead of having like an /24 between the firewall and router and using part of that /24 to servers or similar.
And expect the firewall to respond on ARP when the router question who has these and this ip on the network its directly connected to.
ie.
Server /24
@@MagnusHolmberg-NetSec Thanks for the reply. Typically, when the traffic is received on the firewall, it'll send its MAC address on behalf of the back-end application/server. Since router is pointing the advertised NAT subnet to firewall, here no proxy-ARP happens or what is the traffic flow..? Can you please brief. Thanks.
@@srinivasann62 proxy arp is not in that traffic flow, if I understand you correctly.
Proxy arp is needed when, let’s say
Your firewall and router connect to each other.
And you using a /28 network between them. And you do expect the firewall to be able to send out traffic not only sourcing from its ip 1-3 (cluster xl + the nodes) but also like ip 4-6 and the router have .7-9
Or if same if you expect the firewall to respond on arp request from the router, who has IP 4-6 if these are used for dmz servers or similar.
This works by default when using automatic nat, but if you use manual nat you do need proxy arp (sk30197)
However if you route the ip 4-6 towards let’s say .1 (clusterxl ip) this is not needed to configure proxy arp.
But I think it’s not a pretty solution that why I use dedicated link network between boxes and then route the prefix instead.
Cleaner and nicer.
An excellent video explaining NAT in a simple way
WOW, THIS IS DEEP UNDERSTANDING FOR CHECK POINT !!
Demonstration in a classy mood
Thank You for watching and commenting :)
Are you prepping for taking the CCSA certificate?
@@MagnusHolmberg-NetSec Yes brother, I am Cisco & Palo Alto certified, I am trying to be cp certified asap.
@@mh63111 aha great hopefully you find the content interesting then :)
Time to skip palo for the good stuff ;)
@@MagnusHolmberg-NetSec Yes 100% I agreed with you, check point will be on the top of comprehensive security solutions, but they should focus on [middle east] because it is not familiar here.
@@mh63111 it’s an Israeli company and Israel’s relationship with Middle East is not the best.
Hi Magnus
Are you able to setup a video on how to bypass https inspection on Checkpoint ?
Hello Magnus--Let say we have to create lots of manual NAT ..in same time we hae to create ARP same ARP entry in firewall..to avoid you mentioned link router. Please explain this
I would avoid using static arp entry.
I would route in the NAT addresses so the static arp is not needed.
I have zero installations (over 300 firewalls) where we use static arp because it’s a pain in the butt.
Great work buddy have been following your tutorials well explained.Keep up the good work !!!
Taro Manga thank you, am working on some lab videos.
Installing mgmt and gateway cluster from scratch in VMware workstation
Hopefully u guys will like it :)
More or less thinking if I should edit away my mistakes or keep them as live troubleshooting.
what's the difference between the NAT method of "Hide" and "Static", considering about a Host object?
i think you will need to watch the video again,
But in general HIDE nat is many behind 1 IP, meaning you can put it on multiple network and host object and it will hide all of them behind the gateways IP.
Static is a 1 to 1 nat, IE a DMZ server or similar that should be exposed on the internet.
Thanks for this good video! i have quation please: to connect the private network to the internet, I probably need Hide NAT but what do I need to put in Translated Source. I need to put the external interface object of the checkpoint?
If you use hide nat on the object you don’t need to do any manual nat. (This would be an automated nat)
If you do manual nat with hide nat you would need to put the external IP you want for that hide nat on translated source.
You could also put the firewall object in the translated source but personally I put the specific IP as a nat object instead so it really dose what I want :)
other doubt let say we have two ISP Primary (80.80.80.80) and backup.(90.90.90.90) we already created manual static NAT and translating to Primary ISP IP and in any case primary ISP goes down then how static NAT will work
.
Would suggest to check the video I made about ISP redundancy as it involves a lot more then just NAT.
If you do have PI addresses then it would be no diff as you would need to announce your network to both ISP.
But if you are not having PI it’s a complete diff thing and backup isp would never announce primary isp ips and it would not work.
(And the reason why it would not work has nothing to do with checkpoint, just to make that clear :) )
th-cam.com/video/BuwU-ppyDmo/w-d-xo.html
@@MagnusHolmberg-NetSec thank very much.. Your replay is prompt :)
Why do you need to add NAT entry for 10.10.10.0/24 destination 10.10.10.0/24 when in the first place this will not even routed and hit the Firewall since they are in the same broadcast domain?
Its not really needed so to say, but this was added during the automated NAT.
Am guessing its a way to highlight it in the NAT rulebase.
Normally you do add some group containing all local networks and make a no nat with localnet to localnet
Hi Magnus. Watching the video, I am left without clarifying a doubt. Could you explain the difference between the Translation Method, between the HIDE and the STATIC? When should one apply one over the other? If your desire is to get something to the INTERNET, which one would you apply? Thank you very much. :)
Hi,
Static = 1 to 1 NAT.
Normal usage is when you want to put a server in a DMZ and have a service accessible on internet.
In this case traffic could start from Internet and go in to the server.
Hide NAT = Many to 1
Normal usage, hide nat client networks behind a single IP for websurfing.
In this case the traffic must start from inside the network and go out.
@@MagnusHolmberg-NetSec nicely explained
Thanks mate for sharing your knowledge. Very well explained.
Thank you :)
Magnus. Thanks for all help with Check Point NAT configuration. I'm having a NAT issue and hope you can help me. My check point cluster has two external interfaces. Existing internet traffic is on a hide NAT behind address 204.1.1.1 , and a default route to 204.1.1.2 . I created a NEW external interface 50.1.1.1 (50.1.1.0/24 network) and connected it to our secondary internet connection at 50.1.1.2 . If I static NAT a host to 50.1.1.50/24 traffic still leaves the firewall from the physical interface connected to 204.1.1.1. Any ideas?
How are you routing between the 2 external interfaces, how is the decition on what interface to take?
Meaning how is the routing setup
Secondly NAT rules are based on what order they are in. The first rule that hits will be in use.
My recommendation is always to use linknetworks like /29 toward the firewall.
And then route the rest of the public IP addresses.
Because this helps for announcing the ip correctly, automatic NAT announce the ip addresses by default via gratuitous arp Manual nat do not.
This means that you need to create a file for it and I think it’s a big hassle just.
sk30197
We use BGP and that seems to work fine. If we use /28 bit ranges for the firewall interfaces ... how do I use my /25 bit allocation of public IPs for static NATs? I thought to firewall needed a interface directly on that network to do the NATs. If I move the public IP address range, do I move it to a router inside or outside the firewall?
@@jasonmaiolo6471 the firewall do not need any interface for IP addresses used for nat.
Meaning you can have
Router1 - Linknetwork /29 - Firewall
In case of static routing then
router1 you route x.x.x.x/X towards the firewall IP (cluster ip or similar)
Then you can use these in NAT.
Benefit of doing this is that you dont need to do a local arp file even if doing static NAT.
Now when you are using BGP then you do need to announce the prefix as its no longer a directly connected interface you need to specify it, check the advance routing guide for the specific command :) (i think you need to do a route map.)
@@MagnusHolmberg-NetSec So, should the public IP address range for NATs be on a router inside or outside my firewall?
@@jasonmaiolo6471 They only needed to be routed to your firewall. They don’t need to be anywhere else.
No need for any interface if you planning to use it as NAT ip.
Hello, Magnus.
One query.
Why when you create a NAT rule automatically, it creates 2 rules by default?
Is this normal?
Yes its normal :)
@@MagnusHolmberg-NetSec
The use of one or another NAT method (NAT MANUAL, or NAT AUTOMATIC), you would say that the use will depend on the ADMINISTRATOR'S taste?
Sometimes in productive environments, it is somewhat tedious to find out if the NAT that you find in the logs, was created manually or automatically.
Great effort !!
Thank you, more to come.
SmartConsole is a huge topic within Check Point. Hopefully soon we can go in to some more advance stuff. :)
fantastic explanation, thank you so much
Very informative.
Great....video,
Thank you :)
👍