[转] Checkpoint Manual NAT ARP Proxy

I do not know if some of you have had such a problem with Checkpoint Firewall, but every time a Manual Nat rule needs to be created, some administrators usually have this kind of problem.

In the SK30197 there are some links about Proxy ARP

Configuration Steps:

This configuration is based on two steps:

  1. Layer2-to-Layer3 matching (Ip address of internal host and MAC of the external interface)
  2. Nat Rules

Step 1 – Layer2-to-Layer3 matching

  1. Using local or ssh access to the Security Gateway, in Expert Mode, check if exist the file:
    1. (Expert@myfirewall)#ls $FWDIR/conf/local.arp

      if the result was “ls: /opt/CPsuite-R75.20/fw1/conf/local.arp: No such file or directory”, create a new file, else go to 2

    2. (Expert@myfirewall)#touch $FWDIR/conf/local.arp
  2. Edit the file with the command:

    (Expert@myfirewall)# vi $FEDIR/conf/local.arp

    172.16.5.20    00:B4:F3:A8:C1:33

     

    A brief summary of “vi” editor

    To access command mode in VI, press ESC

    i – Insert text before cursor

    a – Insert text after cursor

    r – Insert text in the beginning of the cursor line

    A – Insert text in the end of the cursor line

    o – Insert a line below the cursor line

    O – Insert a line above the cursor line

    X – delete the current character

    To Save the file: ESC :wq

     

The configuration of this file could change if you have a single gateway or a cluster:

    Single Gateway

IP of the published host         MAC-Address of the External Interface

Example:

Let´s consider the topology

Create the Objects

Firewall External ip address

FTP Server

Create before Sthealth rule a rule allowing ftp access to the gateway (In this example, we only have two public ips)

In Nat Tab, create a manual nat rule, publishing FTPServer

In Smartdashboard à Policy à Global Properties

In NAT section à Check the option “Merge manual proxy ARP configuration”


Automatic ARP Configurationis enabled by default – it ensures that ARP requests for a translated (NATed) machine, network or address range are answered by the Security Gateway.

Merge manual proxy ARP configuration merges the Automatic and Manual ARP configurations. Manual proxy ARP configuration is required for manual Static NAT rules. If a manual ARP configuration is defined in the $FWDIR/conf/local.arp file, and ‘Automatic ARP configuration‘ is enabled, both definitions are maintained. If there is a conflict between the definitions (the same NATed IP address appears in both), then the manual configuration is used.

If ‘Automatic ARP configuration‘ is enabled, but ‘Merge manual proxy ARP configuration‘ option is not enabled, then the Security Gateway ignores the entries in the$FWDIR/conf/local.arp file.

Check the box “Translate destination on client side“.

Translate destination on client side is enabled by default – it applies to packets originating at a Client, with the Server as its destination. Static NAT for the server is performed on the Client side of the Security Gateway.

 

Cluster Configuration

In a cluster configuration the sintax of local.arp file changes like below:

IP_address_of_Host_1_that_should_be_published MAC_address_of_member’s_physical_interface_on_External_network IP_address_of_member’s_physical_interface_on_External_network

 

For more information about cluster configuration, I highly recommend to read the sk30197.

 

Troubleshooting

If Proxy ARP fails consider read the SK 25851

Advertisements
Image

[Command] fw monitor

fw monitor 的特点是他能就进入防火墙前没有进行任何处理的流量以及被处理后但还未进入发送数据队列的流量进行分析。

常用语法:

fw monitor -e “accept src=10.10.10.1;” -m iO
显示被允许的源为10.10.10.1的流量,进出口为i和O。

fw monitor -e “drop src=10.10.10.1; dst=10.10.1.2;”
显示丢弃的源为10.10.10.1和目标为10.10.1.2的流量

fw monitor -e “accept (src=10.10.10.1 and dst=192.168.1.1) or (src=10.10.10.2); deport=1415 or sport =1415;”
显示接受的从10.10.10.1到192.168.1.1或来自10.10.10.2的流量,以及使用目标接口1415或源接口1415的流量。

Check Point

默认从Int到Ext的流量没有限制,只需要做Nat behind Gateway即可,也就是让内部主机有个外部地址方便通信。但从Ext到Int的流量是有限制的,需要在防火墙访问列表中添加Rule。

Rule顺序

比较详细的写在最上方,笼统的写在下方

NAT

对HOST进行NAT时,受访问HOST为被保护对象,具有原始IP 10.1.1.1,其经CHECKPOINT NAT后为140.1.1.1。所以配置HOST时,IP为10.1.1.1,而NAT中translated address为140.1.1.1。

两种NAT方式:
Static:1对1映射。
Hide:将一个或多个内网IP隐藏在本CheckPoint入口网关(或某特定IP)后,类似PAT,只能从内部发起连接,如10.1.1.0 10.1.1.2-10.2.2.1 ext,则10.1.1.0网段的所有主机都映射到10.2.2.1上。
当从外部去连某台内部主机的时候/服务端口号不能修改的时候,只能使用STATIC模式。

两种配置方式:
自动:在HOST NODE中配置的NAT为自动方式,选Add automatic Address Translation Rule。
手动:在NAT TAB中配置详细的手动NAT规则。

NAT 优先顺序(一个用完用另一个):
1. Static NAT
2. IP Pool NAT
3. Hide NAT

IP Pool NAT 可以对IPSec, GRE, IGMP等进行处理,适合VPN,而Hide NAT只能处理TCP, UDP和ICMP。

ISP Redundancy

Primary/Backup:主从形式的ISP冗余线路,主线坏后使用从线。主线恢复后,新流量将走主线,原先已有的旧流量将一直走从线直到走完。
Load Sharing:类似random,随机的发送,一条线路坏后全部走另一条。对于DNS回复,使用两条线路的Ip作为源地址记录。

配置中的自动配置ISP冗余模式只在确有两条以上ISP接口的情况下会生效。

isp redundency上例中192.168.1.2和172.16.2.2分别是10.0.0.2在防火墙对ISP端的影射后公网地址,已经在ISP方注册过,所以一旦有用户从Internet访问www.example.com,该用户会先向其DNS服务器发送域名分析请求,请求会被ISP转到防火墙上的这两个地址,防火墙有个内置DNS答复器,会把这两个地址作为DNS解析后的地址答案发给用户(具体规则取决于 主从/随机 模式)。具体操作在防火墙object下的topology的isp redundancy中的DNS Proxy添加DNS解析地址。

isp redundency 1

还有一种只使用一个对外接口实现冗余的方法(没有真实的两个对外接口)。在防火墙Eth0口上使用赋予两个子网地址,通过交换机实现冗余。

cluster isp

防火墙Cluster链接冗余ISP的方法。

Load Balancing 对防火墙而言无负担

负载均衡是以将所有负载服务器放入一个Group中进行配置来实现的。
Server Load:系统自动检测服务器负载情况,自动判断均衡。
Round Trip:以最快路径传输,不以负载情况判断均衡条件。
Round Robin:你一个呀我一个。
Random:乱发。
Domain:按归属域名发。

Persistency by Service/Server:强制防火墙记住第一次负责处理某数据情况,每次都以同一方法处理同一个数据请求。所以TIME OUT是必要的,以免等待过长。

具体操作中需要两条RULE,一条用于告知防火墙对特定数据进行负载均衡。另一条用于特定端口或流量的通行定义。

CoreXL

新一代的Checkpoint支持CoreXL,也就是类似多处理器,可以在自己的系统上衍生出多个操作系统势力,并以互不干扰的形式处理接收到的大量流量。