Check Point NAT merge examples
For more information on how handles NAT merges, see NAT merge options.
Host address hides behind gateway
The source configuration hides the host address object Host_172.21.84.202_Hide_Gateway behind the gateway.
It also has a firewall rule that matches the object to source addresses.
FortiConverter generates the following policy, for which NAT is enabled (set nat enable). However, because it doesn't specify an IP pool, the source address uses the interface IP address to perform NAT:
edit 10002
set srcintf "port2"
set dstintf "port1"
set srcaddr "Host_172.21.84.202_Hide_Gateway"
set dstaddr "Host_Destination"
set service "http" "https"set schedule "always"
set logtraffic allset status enableset action acceptset comments "Example of address hides behind gateway."
set global-label "FW1"
set nat enable
next
When a policy has NAT enabled, it attempts to match a source address to a VIP object. If it finds a match, it performs static NAT using the VIP object. If it doesn't find a match, it uses the interface IP address. (See the next section for an example with a VIP object.)
Address with static NAT matches policy source address
The source configuration static NAT settings translate the IP address of the host address object Host_172.21.84.203_Static to 210.61.82.160.
It also has a firewall rule that matches the object to source addresses.
FortiConverter generates the following VIP object and policy:
edit "vip-Host_172.21.84.203_Static"
set extip 210.61.82.160
set mappedip 172.21.84.203
set extintf port1
set nat-source-vip enable
next
edit 10003
set srcintf "port2"
set dstintf "port1"
set srcaddr "Host_172.21.84.203_Static"
set dstaddr "Host_Destination"
set service "http" "https"set schedule "always"
set logtraffic all
set status enable
set action accept
set comments "Example of address with static NAT in source address."
set global-label "FW1"
set nat enable
next
When a policy has NAT enabled, it attempts to match a source address to a VIP object. If it finds a match, it performs static NAT using the VIP object. If it doesn't find a match, it uses the interface IP address. (See Host address hides behind gateway for an example without a VIP object.)
Address with static NAT matches policy destination address
Like the example where static NAT matches the policy destination address, the source configuration static NAT settings translate the IP address of the host address object Host_172.21.84.203_Static to 210.61.82.160.
It also has a firewall rule that matches the object to destinations.
FortiConverter generates the following VIP object and policy. The policy replaces the destination address with the VIP object:
edit "vip-Host_172.21.84.203_Static"
set extip 210.61.82.160
set mappedip 172.21.84.203
set extintf port1
set nat-source-vip enable
next
edit 10004
set srcintf "port1"
set dstintf "port2"
set srcaddr "Host_Source"
set dstaddr "vip-Host_172.21.84.203_Static"
set service "http" "https"
set schedule "always"
set logtraffic all
set status enable
set action accept
set comments "Example of address with static NAT in destination address."
set global-label "FW1"
next
In this case, the destination address is used directly.
Manual NAT rule matches policy source address with one-to-one mapping
A source configuration has a manual NAT rule that translates a source address:
It also has the following firewall rule:
This configuration is a one-to-one mapping because both the original address and translated address are host addresses.
FortiConverter generates the following IP address pool and policy. NAT is enabled for the policy and it uses the pool to perform NAT:
edit "ippool-210.61.82.160"
set endip 210.61.82.160
set startip 210.61.82.160
set type overload
next
edit 10005
set srcintf "port2"
set dstintf "port1"
set srcaddr "Host_172.21.84.204"
set dstaddr "Host_Destination"
set service "http" "https"
set schedule "always"
set logtraffic all
set status enable
set action accept
set comments "Example of one to one source NAT rule ."
set global-label "FW1"
set nat enable
set poolname "ippool-210.61.82.160"
next
Manual NAT rule matches policy destination address
A source configuration has a manual NAT rule that translates a destination address:
It also has the following firewall rule:
FortiConverter generates the following VIP object and policy:
edit "vip-Host_210.61.82.160"
set extip 210.61.82.160
set mappedip 172.21.84.204
set extintf any
set nat-source-vip enable
next
edit 10007
set srcintf "port1"
set dstintf "port2"
set srcaddr "Host_Source"
set dstaddr "Host_172.21.84.204"
set service "http" "https"
set schedule "always"
set logtraffic all
set status enable
set action accept
set comments "Example of one to one destination NAT rule ."
set global-label "FW1"
next
The translated address is used as the destination address because it is in internal network.
NAT rule and policy addresses don't match: Destination address of the policy contains the NAT object
A source configuration has a host address object Host_172.21.84.203_Static that Static NAT translates to 210.61.82.160.
It also has the following firewall rule:
AddressGroup_Destination is a group that contains the members Host_172.21.84.203_Static, Host_Member3, and Host_Member4.
FortiConverter generates the following VIP object and NAT policy:
edit "vip-Host_172.21.84.203_Static"
set extip 210.61.82.160
set mappedip 172.21.84.203
set extintf port1
set nat-source-vip enable
next
edit 110009
set srcintf "port1"
set dstintf "port2"
set srcaddr "Host_Source"
set dstaddr "vip-Host_172.21.84.203_Static"
set service "http" "https"
set schedule "always"
set logtraffic all
set status enable
set action accept
set global-label "FW1"
next
edit 10009
set srcintf "port1"
set dstintf "port2"
set srcaddr "Host_Source"
set dstaddr "AddressGroup_Destination"
set service "http" "https"
set schedule "always"
set logtraffic all
set status enable
set action accept
set comments "Example of name overlap in destination address."
set global-label "FW1"
next
FortiConverter converts policy 10009 directly from the original firewall rule. Policy 11009 is a copy of policy 10009 with the destination address field changed to vip-Host_172.21.84.203_Static to reflect the static NAT object conversion.
Unused VIP objects generate policy
In some cases, the final policy in an output configuration is one that FortiConverter generates from VIP objects that aren't used as a destination address in at least one policy. For example:
edit 001
set srcintf "port1"
set dstintf "any"
set srcaddr "all"
set dstaddr "vip-Host_172.21.84.24" " vip-Host_172.21.84.25" " vip-Host_172.21.84.26"
set service "ALL"
set schedule "always"
set logtraffic all
set status enable
set action deny
set comments "This policy is auto-generated by FortiConverter to activate static-NAT VIPs that aren't referenced in other policies."
next
This type of policy enables the source static NAT mapping by capturing all the VIP objects that other policies don't reference.
In some conversions, FortiConverter generates more than one of this kind of policy – one for each external interface that is referenced by an unreferenced VIP object.
Check Point NAT merge examples with central NAT
From FOS v6.0.0 release, the central NAT feature was enhanced. You don’t need to add a "set nat enable" clause into each firewall policy command view. This makes the central NAT module run as a separated functional part.
Host address hides behind IP
The source configuration hides the host address object Host_172.21.84.201_Hide_IP behind the IP address 210.61.82.139.
It also has a firewall rule that matches the object to source addresses.
FortiConverter captures the hide NAT IP address 210.61.82.139 in an IP pool:
edit "ippool-210.61.82.139"
set endip 210.61.82.139
set startip 210.61.82.139
set type overload
next
FortiConverter also creates a central NAT object that uses the IP pool:
edit 3
set srcintf "port2" (generated from route information)
set dstintf "port1" (generated from route information)
set orig-addr "Host_172.21.84.201_Hide_IP"
set dst-addr "all"
set nat-ippool "ippool-210.61.82.139"
next
FortiConverter converts the Check Point firewall rule into the following policy:
edit 10001
set srcintf "port2" (generated from route information)
set dstintf "port1" (generated from route information)
set srcaddr "Host_172.21.84.201_Hide_IP"
set dstaddr "Host_Destination"
set service "http" "https"
set schedule "always"
set logtraffic all
set status enable
set action accept
set comments "Example of address hides behind IP."
set global-label "FW1"
next
Manual NAT rule matches policy source address with many-to-one mapping
A source configuration has a manual NAT rule that translates a source address:
Net_172.21.84.0 is a network object with the IP address 172.21.84.0/24.
The configuration also has the following firewall rule, which matches the object to source addresses:
FortiConverter converts many-to-one rules to an IP pool.
For this configuration, FortiConverter generates the following IP pool, central NAT object, and policy:
edit "ippool-210.61.82.130"
set endip 210.61.82.130
set startip 210.61.82.130
set type overload
next
edit 2
set srcintf "port2"
set dstintf "port1"
set orig-addr "Net_172.21.84.0"
set dst-addr "Host_Destination"
set nat-ippool "ippool-210.61.82.130"
next
edit 10006
set srcintf "port2"
set dstintf "port1"
set srcaddr "Net_172.21.84.0"
set dstaddr "Host_Destination"
set service "http" "https"
set schedule "always"
set logtraffic all
set status enable
set action accept
set comments "Example of one to many source NAT."
set global-label "FW1"
next