Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] what occurs first NAT or RULEBASE

To: [email protected]
Subject: RE: [FW1] what occurs first NAT or RULEBASE
From: "Juppunov, George" <[email protected]>
Date: Wed, 27 Jun 2001 08:58:22 -0700
Sender: [email protected]

Eric,

This is great, however you are missing the element of routing, which I think
needs to be in equation,
since it could potentially cause serious problems, especially in HA
scenarios where traffic might end up
flowing out a non-shared interface and you can end up with a problem you
will troubleshoot for a long time. 
Also, you are missing the piece of automatic Static NAT, which is handled as
a property at the rulebase level.

You are right about checkpoint's manuals. I posted a kind of a detailed
summary last Friday, in a discussion with Frank. You might want to look at
it.

George

-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Tuesday, June 26, 2001 3:29 PM
To: [email protected]
Subject: RE: [FW1] what occurs first NAT or RULEBASE




HI,

I know that the correct answers to this topic already has been published,
but somehow this must have been a little confusing to some people. The wrong
answer was at least published at
http://securityportal.com/topnews/weekly/checkpoint.html in their weekly
Check Point rundown the 25 of June.


NAT DOES NOT HAPPEN FIRST!!!! (normally)

This is thouroughly described in Chapter 14 (page 425-475) of The Security
Admin Guide to Firewall-1 CP2000. The descriptions in this chapter should
cover this in detail, but to say it short. Check Point has three different
NAT modes; Static Destination, Static Source and HIDE. They work as follows;

1.	HIDE
	Client initialize comm. --> Inspected by Firewall (both Inbound and
Outbound) --> Packet get's translated (Source Hidden) --> Leaves Gateway .
(NAT LAST THING THAT HAPPENS)

2.	Static Destination
	Client initialize comm. --> Inspected by Firewall (both Inbound and
Outbound) --> Packet get's translated (Destination address is translated)
--> Leaves Gateway . (NAT LAST THING THAT HAPPENS)

3.	Static Source
	Client initialize comm. --> Inspected by Firewall (both Inbound and
Outbound) --> Packet get's translated (Source Address is translated) -->
Leaves Gateway . (NAT LAST THING THAT HAPPENS)


NB! reply packets is translated before they enter the gateway. This means
that the setup will have impact on Anti-Spoofing rules.

This statement (which was published at SecurityPortal) is misleading and
totally wrong:

"You truly don't allow inbound traffic to the Public IP.. you allow inbound
traffic to the object, which should have a private IP as it's IP and a
public IP as it's NAT.. Think of it also as, it NAT's first since you have
to route to the private IP.. always NAT first inbound, last outbound."



If NAT was the first thing that happened within the gateway you would NOT
need to add a Host Route pointing the external address to the internal one.
Routing happens within the operating system after it leaves the Firewall-1
inbound inspection, if the packet already is translated it would be no need
to tell the OS that the external address is on the inside (which would then
had been wrong). And if you manually define the rules you would HAVE TO add
a rule to accept communication to the external (or public) address. 


/erik


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


_____________________________________________________________________ 
IMPORTANT NOTICES: 
          This message is intended only for the addressee. Please notify the
sender by e-mail if you are not the intended recipient. If you are not the
intended recipient, you may not copy, disclose, or distribute this message
or its contents to any other person and any such actions may be unlawful.

         Banc of America Securities LLC("BAS") does not accept time
sensitive, action-oriented messages or transaction orders, including orders
to purchase or sell securities, via e-mail.

         BAS reserves the right to monitor and review the content of all
messages sent to or from this e-mail address. Messages sent to or from this
e-mail address may be stored on the BAS e-mail system.




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: FW: [FW1] How are Nokia's Products
Next by Date: [FW1] CVP possible with CheckPoint SmallOffice ?
Previous by thread: RE: [FW1] what occurs first NAT or RULEBASE
Next by thread: RE: [FW1] what occurs first NAT or RULEBASE
Index(es):
- Date
- Thread