Thursday, January 27, 2011

Checkpoint UTM Firewall Clusters Part 4 - NoNAT Rules

   Cisco ASA administrators will be well familiar with noNAT rules... those NAT ACLs listed under NAT 0. It's a similar configuration for the Checkpoint. Using the network groups I created in part 2 of this series,
Checkpoint UTM Firewall Clusters Part 2: Anti-Spoofing

One can create individual NoNAT rules like so:

To prevent NATing between the corp_net ( and the DMZ, you can create a pair of rules (make sure they are above your implied rules!):

Of course, you might want to avoid any NATing between internal VLANs/subnets. Using our previously created simple group, inside_networks (it contains corpnet, eng_net, qa_net, and router net):

That should do it.

Checkpoint UTM Firewall Clusters Part 3 - Overloading NAT and PAT, Proxy Arp

   In this instance, we're going to cover a 1 to 1 NAT (a bi-NAT) and an overload of a single port for the same address. Refer to the first part in this series to get a better idea of the topology:
Checkpoint UTM Firewall Clusters Part 1

In this case, we have a web host ( and an SSH server ( in the DMZ. We want to create a 1 to 1 NAT (outside address 10.10.80) for the web host, but we also want port 3322 on the outside address to NAT to port 22 on the SSH server. Here's a diagram:

You will note that I left out some of the infrastructure in this drawing - simply for clarity.
    Anyway, we should create a host node for the web server, set up the NAT, and then create the NAT rule to override port 3322 on the same external address.

1. Create the node:

2. Now, set the NAT on external address

3. Now, create an override rule for the SSH server (we just created a node for the external address, the internal ssh address, as well as a new TCP object - port 3322):
 Here's the override:

4. We'll follow up by adding a rule to allow traffic in on the firewall. This requires 1 rule:

That's basically it. If you do not have a static entry, but have a bunch of PATs, you'll notice that the firewall will not automatically proxy arp for the external address. This can be fixed by using the method above for a single 1 to 1  NAT or by editing local.arp on each firewall. This file is in $FWDIR.

Checkpoint UTM Firewall Clusters Part 2 - Anti-Spoofing

The first problem I ran into with the Checkpoints is the built in anti-spoofing technology. Refer to my last post to get a sense of the topology: Checkpoint UTM Firewall Clusters Part 1

Here's the diagram again:

Anyway, the problem is internal routes. In my example, I have a layer 3 switch handling internal routing. The steps are:

1. Log into each Checkpoint cluster member and add static routes. You can use either ssh with the sysconfig utility, or use a web browser and go to each firewall (typically port 4434.) In this example case, you'll add:

subnet netmask gateway

Note that is the layer 3 switch.

2. Create subnet objects for each of the internal networks/VLANs.

Ignore CP_default_Office, it's part of the demo network config.

3. If you look at the cluster interface topology, you'll see:

And if we drill down further:

And further into the internal interface (where our corp, eng, QA, and colo interfaces reside behind:

And now to the "Topology tab"

Topology anti-spoofing config

This configuration will block the eng, qa, and corp subnets. Depending on the configuration, the Co-Lo net may never need to talk to anything that the firewall manages (DMZ1, etc.) But, better safe than sorry.
4. Create a simple group and include all four subnets:

5. Now, go back to the topology anti-spoofing config in step 3 and modify it to use the group you created.

There, anti-spoofing should work correctly. Make sure NAT is configured properly!

Checkpoint UTM Firewall Clusters Part 1

    I recently spent some time setting up a Checkpoint Firewall cluster using UTM firewall appliances. I'm going to post several configuration tips I learned the hard way. I did not find the documentation to be all that useful, though I was in a bit of a rush, so I might have missed something.
   Anyway, I'm laying out the topology in this post. Here are our nets:

Interface NameSubnetComments
ext10.10.10.0/24external network
int192.168.5.0/24router net
LAN1172.31.24.0/28sync network
LAN2172.31.23.0/24network management subnet
N/A192.168.6.0/23Corporate LAN (behind L3 switch)
N/A192.168.8.0/23Engineering LAN (behind L3 switch)
N/A192.168.10.0/23QA LAN (behind L3 switch)
N/A172.17.16.0/22subnet from CO-LO - from VPN tunnel

Note that there is a layer 3 switch behind the inside interface on the Checkpoint cluster, and that at least three VLAN/subnets are behind that switch. Note that there is an IPSec tunnel to the co-lo facility, and that tunnel terminates on the L3 switch in the router network (the endpoint is
Here is a simple diagram of the configuration: