Solution Title How to create a rule to stop NAT and PAT in the CHECKPOINT FIREWALL application running in some Switches/routers
Solution Details Date - 04/2008
Affected Product Version - all
Affected Module & Version - all
OS Version - all
Application Information - The CHECKPOINT FIREWALL application running in some Switches/routers
comes configured as default with Network Address Translation NAT, and Port Address Translation PAT.
see the article http://en.wikipedia.org/wiki/Network_address_translation
It talks about Firewalls that use NAT and their advantages and disadvantages.
Pay special attention to the the section called "Drawbacks";
"Hosts behind NAT-enabled routers do not have true end-to-end connectivity and cannot participate in some Internet protocols. Services that require the initiation of TCP connections (which Netvault does) from the outside network, or stateless protocols such as those using UDP (which Netvault does) can be disrupted. Unless the NAT router makes a specific effort to support such protocols, incoming packets cannot reach their destination. "
Description: The first thing to consider is to find out if the CHECKPOINT FIREWALL application is configured to do NAT.
If that is the case then you need to request that the Network administrator implement an explicit rule in order to exclude the NAT from the NetVault server and all clients.
1)- From the CHECKPOINT FIREWALL application, create two groups of servers.
1a)- create a group of servers named NetVault_DMZ_Servers and add the NetVault server and all NetVault Clients inside the DMZ to this group.
1b)- create a group of servers named NetVault_PUBLIC_Servers and add all NetVault Clients on the Public network outside of the DMZ to this group.
2)- Create a firewall rule to bidirectionally exclude NAT and PAT from this two groups.
You need to be signed in and under a current maintenance contract to view premium knowledge articles.
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center