Checkpoint help needed
Results 1 to 7 of 7

Thread: Checkpoint help needed

  1. #1
    Member
    Join Date
    Feb 2003
    Posts
    35

    Unhappy Checkpoint help needed

    Are there any Checkpoint gurus out there? I've just begun managing a checkpoint box (NG on a Nokia IP330) and am having some troubles tweaking NAT. So, I'm looking for some sagely advice.

    Right now I have a number of networks behind my firewall, as well as one DMZ hanging off its own interface (the box has three interfaces--LAN,WAN and DMZ). I have NAT working (all my networks are in hide mode), but packets traveling from my LAN to my DMZ are being NATted and have the source address of the DMZ's default gateway (in otherwords, the DMZ interface ip address). This is only causing me problems because my DMZ IDS sensor sees everything originating from my LAN as having from the same IP address. This hides which actual IP flagged the alert. Is there any way that I can turn off NAT on all the individual networks and only NAT those packets that leave through my WAN interface? I don't want to NAT the LAN to the DMZ. I had all of this working fine back in the good old days of iptables. But, since using Checkpoint and having the dashboard build my rules, I cannot find where to tweak my NAT settings. Help me, someone, please.

  2. #2
    Senior Member
    Join Date
    Oct 2002
    Posts
    314
    If I remember (haven`t been near checkpoint for a while thought) if you apply a hide NAT rule to a network then the NAT rule will apply whenever traffic leaves that network, so you are always going to see traffic from the LAN to DMZ orginating from one IP Address.

    However a way around this would first be to prevent the internal LAn from accessing the machines in the DMZ, as this is often not required (usually only Admins are going to access the DMZ boxes). Then set up individual access rules for Admins depending on which boxes they need to access - i.e. you webserver admin can access the web server etc.. and set up rules for each of those, which will make it easy to track what goes into your DMZ from the LAN.

    Everyone else just needs access to the internet (assuming you want to give them it) and not the DMZ.

    It might be useful if you could provide some more details on your network, size etc... to see if this is going to be viable.

    Although come to think of it do you even need to use NAT between the DMZ and the LAN? couldn`t you just set up the appropriate Routes, set up the objects in the firewall and allow straight access between the two segments? (if you want everyone on the LAn to access the DMZ that is).
    Quis custodiet ipsos custodes

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Posts
    371
    Have you checked out phoneboys webpage...I find that this is the number 1 source for all Checkpoint related problems....

    http://www.phoneboy.com/fom-serve/cache/1.html

    and his new upcoming site:

    http://blog.phoneboy.com/
    SoggyBottom.

    [glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]

  4. #4
    Senior Member
    Join Date
    May 2003
    Posts
    115
    what i've done in the past by policy is that internal address is not allowed but admins would have static route to the DMZ zone. checkout icsalab for firewall wizards list, lot of nokia sage members there

    -w0rm3y

  5. #5
    Member
    Join Date
    Feb 2003
    Posts
    35
    Thanks for all the help, but nothing I have tried so far has worked (ok, I haven't really had enough quality time to sit down and tackle this head-on yet), but here are my thoughts-->

    1) Unfortunately I have more than a few services running in the DMZ that both LAN and WAN users need access to (mailgateways, web apps, etc). Really, all my LAN users have the same basic access to the boxes in the DMZ that they do to the internet (http, https, smtp, etc.).

    2) There are static routes set from thr LAN to the DMZ on the Nokia router, but if I do not set some sort of NAT rules on the LAN object in the dashboard I get no internet connectivity for my LAN at all. I've tried using both hide and static, and setting up my own NAT rules in the dashboard, but none have the effect I want (which is to not NAT LAN to DMZ traffic). If I apply NAT to the LAN object, it NATs the traffic no matter what its desitnation, hiding behind whatever interface it leaves, instead of hiding behind selective interfaces. Maybe I'm just not looking deep enough into this.

    3) In iptables I was able to set my NAT rules based on post-routing packet mangling, meaning that the firewall did not apply the address translation until routing decisions had been made and the packet was leaving a specific interface. With this I could make a rule that said something like the following "only NAT traffic leaving the WAN interface (eth-whatever), despite its source." I'd like to do the same with Checkpoint, but as far as I can see, NAT rules apply to objects, be those objects networks or hosts. The NAT rules do not seem to apply to interfaces. It should be very simply to write a rule that says, "If traffic goes from the LAN to the DMZ, don't apply NAT and route it regularly. If it goes from the LAN to the WAN, then go ahead and apply NAT." But I can't figure out how the heck to do that yet. I'll admit: I'm pretty green with Checkpoint, but in truth, I'm missing the good old days of iptable scripting. I'm beginning to hate this Dashboard GUI.

    4) Like I stated earlier, my firewall runs perfectly well as a firewall. I don't want to change my firewall policy. I wan't to change the behavior of NAT since my current NAT rules are screwing with my IDS. Because of this NAT problem I am either getting 2 alerts (one from the true source, and then one from the same source with a NATted address), or I am getting all my alerts coming from the same NATted address. I'd hate to not be able to monitor LAN to DMZ traffic, or to have to deal with double alerts for every alert an internal host sets off.

    Thanks for all the help thus far guys.

  6. #6
    Senior since the 3 dot era
    Join Date
    Nov 2001
    Posts
    1,542
    tolstoy, it's almost a year I saw such a firewall from close but I think it works as follows:
    checkpoint rules are checked in db order therefor you can limit the NAT to a certain eth interface. You should set the internal network rule first (not to do a NAT when going to DMZ).
    Let's say 'net-a' is a group with your internal net and your dmz, set this to be source: net-a destination: net-a service: any (for the original)
    set translated to:
    source: Orig, destination: Orig, service: Orig
    Then you should add a second rule to NAT your net-a traffic to WAN interface otherwise you will lose all internet connectivity.

  7. #7
    Member
    Join Date
    Feb 2003
    Posts
    35
    Thanks Vic, worked like a charm. I had thought to take rule precidence into account, but I never thought to make a NAT rule that actually specified no NAT at all. Like you suggested, my top-most rule specfies source=orig, orig=dest (no translation) and my bottom-most rules are Checkpoint generated (by using their hide mode). Awesome. Thank you.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •