Solution Title How to create a rule to stop NAT and PAT in the CHECKPOINT FIREWALL application running in some Switches/routers
Solution Details Date - 04/2008
Affected Product Version - all
Affected Module & Version - all
OS Version - all
Application Information - The CHECKPOINT FIREWALL application running in some Switches/routers
comes configured as default with Network Address Translation NAT, and Port Address Translation PAT.
see the article http://en.wikipedia.org/wiki/Network_address_translation
It talks about Firewalls that use NAT and their advantages and disadvantages.
Pay special attention to the the section called "Drawbacks";
"Hosts behind NAT-enabled routers do not have true end-to-end connectivity and cannot participate in some Internet protocols. Services that require the initiation of TCP connections (which Netvault does) from the outside network, or stateless protocols such as those using UDP (which Netvault does) can be disrupted. Unless the NAT router makes a specific effort to support such protocols, incoming packets cannot reach their destination. "
Description: The first thing to consider is to find out if the CHECKPOINT FIREWALL application is configured to do NAT.
If that is the case then you need to request that the Network administrator implement an explicit rule in order to exclude the NAT from the NetVault server and all clients.
1)- From the CHECKPOINT FIREWALL application, create two groups of servers.
1a)- create a group of servers named NetVault_DMZ_Servers and add the NetVault server and all NetVault Clients inside the DMZ to this group.
1b)- create a group of servers named NetVault_PUBLIC_Servers and add all NetVault Clients on the Public network outside of the DMZ to this group.
2)- Create a firewall rule to bidirectionally exclude NAT and PAT from this two groups.
the result of the rules above is;
Rule Number 1: The CHECKPOINT FIREWALL application running on the Switch/Router will inspect any Packet that contains an original SOURCE field belonging to the Group of Servers named NetVault_DMZ_Servers
and a DESTINATION field to any server within the Group of servers named NetVault_PUBLIC_Servers on any port (in this case any port from 1 all the way to 65535).
The =ORIGINAL rule applied to the SOURCE, DESTINATION, AND SERVICE on the TRANSLATED PACKED field establishes that in this case scenario, the CHECKPOINT FIREWALL application running on the Switch/Router will not do NAT (Network Address Translation) and will not do PAT (Port Address Translation) either when the condition above is met.
Rule Number 2: does the same thing for packets traveling in a reverse direction.
Please see the attached Screen Shot of the above rule on a CHECKPOINT FIREWALL application.
P.S. The Rules above are only to stop the CHECKPOINT FIREWALL application from doing NAT and PAT.
You still have to follow all other procedures in order to Configure the required range of ports on the NetVault configurator of the Clients in the Public NetWork outside of the DMZ.
You still need to right click the clients and configure the Clients as OUTSIDE FIREWALL when adding the client.
If the clients on the Public Network outside of the DMZ have more then one NIC card, you still need to configure the Connections sub Tab of the NetWork Manager Tab in the NetVault configurator.
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center