[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] what occurs first NAT or RULEBASE
Eric, This is great, however you are missing the element of routing, which I think needs to be in equation, since it could potentially cause serious problems, especially in HA scenarios where traffic might end up flowing out a non-shared interface and you can end up with a problem you will troubleshoot for a long time. Also, you are missing the piece of automatic Static NAT, which is handled as a property at the rulebase level. You are right about checkpoint's manuals. I posted a kind of a detailed summary last Friday, in a discussion with Frank. You might want to look at it. George -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Tuesday, June 26, 2001 3:29 PM To: [email protected] Subject: RE: [FW1] what occurs first NAT or RULEBASE HI, I know that the correct answers to this topic already has been published, but somehow this must have been a little confusing to some people. The wrong answer was at least published at http://securityportal.com/topnews/weekly/checkpoint.html in their weekly Check Point rundown the 25 of June. NAT DOES NOT HAPPEN FIRST!!!! (normally) This is thouroughly described in Chapter 14 (page 425-475) of The Security Admin Guide to Firewall-1 CP2000. The descriptions in this chapter should cover this in detail, but to say it short. Check Point has three different NAT modes; Static Destination, Static Source and HIDE. They work as follows; 1. HIDE Client initialize comm. --> Inspected by Firewall (both Inbound and Outbound) --> Packet get's translated (Source Hidden) --> Leaves Gateway . (NAT LAST THING THAT HAPPENS) 2. Static Destination Client initialize comm. --> Inspected by Firewall (both Inbound and Outbound) --> Packet get's translated (Destination address is translated) --> Leaves Gateway . (NAT LAST THING THAT HAPPENS) 3. Static Source Client initialize comm. --> Inspected by Firewall (both Inbound and Outbound) --> Packet get's translated (Source Address is translated) --> Leaves Gateway . (NAT LAST THING THAT HAPPENS) NB! reply packets is translated before they enter the gateway. This means that the setup will have impact on Anti-Spoofing rules. This statement (which was published at SecurityPortal) is misleading and totally wrong: "You truly don't allow inbound traffic to the Public IP.. you allow inbound traffic to the object, which should have a private IP as it's IP and a public IP as it's NAT.. Think of it also as, it NAT's first since you have to route to the private IP.. always NAT first inbound, last outbound." If NAT was the first thing that happened within the gateway you would NOT need to add a Host Route pointing the external address to the internal one. Routing happens within the operating system after it leaves the Firewall-1 inbound inspection, if the packet already is translated it would be no need to tell the OS that the external address is on the inside (which would then had been wrong). And if you manually define the rules you would HAVE TO add a rule to accept communication to the external (or public) address. /erik ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== _____________________________________________________________________ IMPORTANT NOTICES: This message is intended only for the addressee. Please notify the sender by e-mail if you are not the intended recipient. If you are not the intended recipient, you may not copy, disclose, or distribute this message or its contents to any other person and any such actions may be unlawful. Banc of America Securities LLC("BAS") does not accept time sensitive, action-oriented messages or transaction orders, including orders to purchase or sell securities, via e-mail. BAS reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the BAS e-mail system. ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|