Check Point NG[s]AI
FW-1 has some global NAT settings that affect the firewall s behavior. To access these settings, open SmartDashboard and select Policy Global Properties . Select NAT - Network Address Translation, shown in Figure 5.13.
|
A new feature to FW-1 is automatic ARP configuration. This feature eliminates the need for manual ARP entries. When enabled, via the NAT tab in global policy properties, FW-1 will automatically create ARP entries for all required addresses. This includes single IP addresses and address ranges, but applies only to automatic NAT.
Note: in earlier versions (pre-FP3), automatic ARP did not work with clusters. In NG AI, ARP only works with ClusterXL implementations, not third party implementations such as Nokia IPSO s VRRP.
|
The Automatic rules intersection setting, when checked, will apply when there is more than one automatic NAT rule that applies in any given situation. Automatic rules intersection means that in this case the firewall will combine or intersect the rules, thereby applying them both. When this box is not checked, the firewall will only apply the first matching NAT rule, and will ignore any subsequent matching rules.
For example, if a packet matches one translation rule s source and other rule s destination, the firewall would translate both the source and destination.
When Perform destination translation on the client side is checked, the firewall will perform static destination mode NAT on the client side of the connection, as opposed to the server side. With this option enabled, the need to add static host routes on the firewall is eliminated since address translation will take place before routing.
Automatic ARP configuration avoids the necessity to configure ARP entries manually on the firewall, as discussed in the routing and ARP sections. This applies only to automatic NAT, not to manual NAT rules. This setting causes the firewall to automatically generate ARP entries for all configured translated IP addresses, enabling the firewall to respond to these addresses. This occurs on the firewall module that is enforcing the translation policy, and you can view the ARPs the firewall is generating with this command: fw ctl arp
|
Previous versions of FW-1 performed destination mode NAT on the server side of the firewall. This sometimes created routing and anti-spoofing issues. As a result, this version of FW-1 defaults to handling destination mode NAT on the client end, unless you are upgrading from a previous version of FW-1, in which case it defaults to server side.
|