[转] Checkpoint Manual NAT ARP Proxy

I do not know if some of you have had such a problem with Checkpoint Firewall, but every time a Manual Nat rule needs to be created, some administrators usually have this kind of problem.

In the SK30197 there are some links about Proxy ARP

Configuration Steps:

This configuration is based on two steps:

  1. Layer2-to-Layer3 matching (Ip address of internal host and MAC of the external interface)
  2. Nat Rules

Step 1 – Layer2-to-Layer3 matching

  1. Using local or ssh access to the Security Gateway, in Expert Mode, check if exist the file:
    1. (Expert@myfirewall)#ls $FWDIR/conf/local.arp

      if the result was “ls: /opt/CPsuite-R75.20/fw1/conf/local.arp: No such file or directory”, create a new file, else go to 2

    2. (Expert@myfirewall)#touch $FWDIR/conf/local.arp
  2. Edit the file with the command:

    (Expert@myfirewall)# vi $FEDIR/conf/local.arp

    172.16.5.20    00:B4:F3:A8:C1:33

     

    A brief summary of “vi” editor

    To access command mode in VI, press ESC

    i – Insert text before cursor

    a – Insert text after cursor

    r – Insert text in the beginning of the cursor line

    A – Insert text in the end of the cursor line

    o – Insert a line below the cursor line

    O – Insert a line above the cursor line

    X – delete the current character

    To Save the file: ESC :wq

     

The configuration of this file could change if you have a single gateway or a cluster:

    Single Gateway

IP of the published host         MAC-Address of the External Interface

Example:

Let´s consider the topology

Create the Objects

Firewall External ip address

FTP Server

Create before Sthealth rule a rule allowing ftp access to the gateway (In this example, we only have two public ips)

In Nat Tab, create a manual nat rule, publishing FTPServer

In Smartdashboard à Policy à Global Properties

In NAT section à Check the option “Merge manual proxy ARP configuration”


Automatic ARP Configurationis enabled by default – it ensures that ARP requests for a translated (NATed) machine, network or address range are answered by the Security Gateway.

Merge manual proxy ARP configuration merges the Automatic and Manual ARP configurations. Manual proxy ARP configuration is required for manual Static NAT rules. If a manual ARP configuration is defined in the $FWDIR/conf/local.arp file, and ‘Automatic ARP configuration‘ is enabled, both definitions are maintained. If there is a conflict between the definitions (the same NATed IP address appears in both), then the manual configuration is used.

If ‘Automatic ARP configuration‘ is enabled, but ‘Merge manual proxy ARP configuration‘ option is not enabled, then the Security Gateway ignores the entries in the$FWDIR/conf/local.arp file.

Check the box “Translate destination on client side“.

Translate destination on client side is enabled by default – it applies to packets originating at a Client, with the Server as its destination. Static NAT for the server is performed on the Client side of the Security Gateway.

 

Cluster Configuration

In a cluster configuration the sintax of local.arp file changes like below:

IP_address_of_Host_1_that_should_be_published MAC_address_of_member’s_physical_interface_on_External_network IP_address_of_member’s_physical_interface_on_External_network

 

For more information about cluster configuration, I highly recommend to read the sk30197.

 

Troubleshooting

If Proxy ARP fails consider read the SK 25851

Advertisements

Check Point

默认从Int到Ext的流量没有限制,只需要做Nat behind Gateway即可,也就是让内部主机有个外部地址方便通信。但从Ext到Int的流量是有限制的,需要在防火墙访问列表中添加Rule。

Rule顺序

比较详细的写在最上方,笼统的写在下方

NAT

对HOST进行NAT时,受访问HOST为被保护对象,具有原始IP 10.1.1.1,其经CHECKPOINT NAT后为140.1.1.1。所以配置HOST时,IP为10.1.1.1,而NAT中translated address为140.1.1.1。

两种NAT方式:
Static:1对1映射。
Hide:将一个或多个内网IP隐藏在本CheckPoint入口网关(或某特定IP)后,类似PAT,只能从内部发起连接,如10.1.1.0 10.1.1.2-10.2.2.1 ext,则10.1.1.0网段的所有主机都映射到10.2.2.1上。
当从外部去连某台内部主机的时候/服务端口号不能修改的时候,只能使用STATIC模式。

两种配置方式:
自动:在HOST NODE中配置的NAT为自动方式,选Add automatic Address Translation Rule。
手动:在NAT TAB中配置详细的手动NAT规则。

NAT 优先顺序(一个用完用另一个):
1. Static NAT
2. IP Pool NAT
3. Hide NAT

IP Pool NAT 可以对IPSec, GRE, IGMP等进行处理,适合VPN,而Hide NAT只能处理TCP, UDP和ICMP。

ISP Redundancy

Primary/Backup:主从形式的ISP冗余线路,主线坏后使用从线。主线恢复后,新流量将走主线,原先已有的旧流量将一直走从线直到走完。
Load Sharing:类似random,随机的发送,一条线路坏后全部走另一条。对于DNS回复,使用两条线路的Ip作为源地址记录。

配置中的自动配置ISP冗余模式只在确有两条以上ISP接口的情况下会生效。

isp redundency上例中192.168.1.2和172.16.2.2分别是10.0.0.2在防火墙对ISP端的影射后公网地址,已经在ISP方注册过,所以一旦有用户从Internet访问www.example.com,该用户会先向其DNS服务器发送域名分析请求,请求会被ISP转到防火墙上的这两个地址,防火墙有个内置DNS答复器,会把这两个地址作为DNS解析后的地址答案发给用户(具体规则取决于 主从/随机 模式)。具体操作在防火墙object下的topology的isp redundancy中的DNS Proxy添加DNS解析地址。

isp redundency 1

还有一种只使用一个对外接口实现冗余的方法(没有真实的两个对外接口)。在防火墙Eth0口上使用赋予两个子网地址,通过交换机实现冗余。

cluster isp

防火墙Cluster链接冗余ISP的方法。

Load Balancing 对防火墙而言无负担

负载均衡是以将所有负载服务器放入一个Group中进行配置来实现的。
Server Load:系统自动检测服务器负载情况,自动判断均衡。
Round Trip:以最快路径传输,不以负载情况判断均衡条件。
Round Robin:你一个呀我一个。
Random:乱发。
Domain:按归属域名发。

Persistency by Service/Server:强制防火墙记住第一次负责处理某数据情况,每次都以同一方法处理同一个数据请求。所以TIME OUT是必要的,以免等待过长。

具体操作中需要两条RULE,一条用于告知防火墙对特定数据进行负载均衡。另一条用于特定端口或流量的通行定义。

CoreXL

新一代的Checkpoint支持CoreXL,也就是类似多处理器,可以在自己的系统上衍生出多个操作系统势力,并以互不干扰的形式处理接收到的大量流量。

Xbeam

unix su (进入Xbeam unix配置)

rsh extfw_1/intfw_1 (进入FW模块)

show run -flat

tcpdump -i exvt299 vlan and host 10.10.10.1
tcpdump -i exvt299 vlan and net 10.10.10.0

xbeam

VAP是虚拟程序进程实体,extfw_1就是一个虚拟程序实体。针对各实体中的接口,可以进一步定义Circuits,将他们归类管理。

configure开头的语句用于配置。

举例:

Configure VAP Group

configure vap-group intfw xslinux_v5            #Create a VAP group for the application and configure it to use the xslinux_v5_64 VAP OS.
configure vap-group intfw xslinux_v5 vap-count 2            #Set the VAP count for redundancy and additional capacity
configure vap-group intfw xslinux_v5 max-load-count 2      #Set the max load count to the number of active VAP members in the VAP group
configure vap-group intfw xslinux_v5 ap-list ap5 ap6 ap8    #Configure the APM list for the VAP group. All VAP members must run on the same model of APM. Use show chassis from the CLI to verify the APM models installed in your chassis, if necessary.

configure vap-group intfw xslinux_v5 load-balance-vap-list 1 2 3 4 5 6 7 8 9 10

configure vap-group intfw xslinux_v5 no rp-filter     #Disable RP filtering
configure vap-group intfw xslinux_v5 ip-flow-rule intfw_lb     #Configure a default IP flow rule for the VAP group
configure vap-group intfw xslinux_v5 ip-flow-rule intfw_lb action load-balance     #Set the IP flow rule action to load-balance traffic to all available VAP members
configure vap-group intfw xslinux_v5 ip-flow-rule intfw_lb activate

configure vap-group v6fw xslinux_v5_64
configure vap-group v6fw xslinux_v5_64 max-load-count 1
configure vap-group v6fw xslinux_v5_64 ap-list ap7 ap8
configure vap-group v6fw xslinux_v5_64 load-balance-vap-list 1 2 3 4 5 6 7 8 9 10
configure vap-group v6fw xslinux_v5_64 no rp-filter
configure vap-group v6fw xslinux_v5_64 enable-ipv6     #enable IPv6 support for the VAP group
configure vap-group v6fw xslinux_v5_64 ip-flow-rule v6fw_lb
configure vap-group v6fw xslinux_v5_64 ip-flow-rule v6fw_lb action load-balance
configure vap-group v6fw xslinux_v5_64 ip-flow-rule v6fw_lb activate

configure vap-group v6fw xslinux_v5_64 non-ip-flow-rule ipv6_rule
configure vap-group v6fw xslinux_v5_64 non-ip-flow-rule ipv6_rule encapsulation ethernet type 34525
configure vap-group v6fw xslinux_v5_64 non-ip-flow-rule ipv6_rule action pass-to-master
configure vap-group v6fw xslinux_v5_64 non-ip-flow-rule ipv6_rule activate

xbeam-vap

Configure Circuit

configure circuit extfw_vlan_213 circuit-id 1025 domain 2
configure circuit extfw_vlan_213 circuit-id 1025 domain 2 device-name mgmt213     #Assign a device name to circuit. The device name should be the same as, or based on, the circuit name. 类似description

configure circuit extfw_vlan_213 circuit-id 1025 domain 2 vap-group intfw   #Assign the VAP group to the management circuit
configure circuit extfw_vlan_213 circuit-id 1025 domain 2 vap-group intfw default-egress-vlan-tag 213    #Assign a tag (egress) to the VLAN circuit, 给circuit加vlan tag.
configure circuit extfw_vlan_213 circuit-id 1025 domain 2 vap-group intfw ip 10.10.1.81/24 10.10.1.255 increment-per-vap 10.10.1.83

xbeam3

configure circuit extfw_vlan_213 circuit-id 1025 domain 2 vap-group v6fw
configure circuit extfw_vlan_213 circuit-id 1025 domain 2 vap-group v6fw default-egress-vlan-tag 213
configure circuit extfw_vlan_213 circuit-id 1025 domain 2 vap-group v6fw ip 10.10.1.61/24 10.10.1.255

configure circuit v6fw_vlan_66 circuit-id 1045
configure circuit v6fw_vlan_66 circuit-id 1045 device-name v6v66
configure circuit v6fw_vlan_66 circuit-id 1045 vap-group v6fw
configure circuit v6fw_vlan_66 circuit-id 1045 vap-group v6fw default-egress-vlan-tag 66
configure circuit v6fw_vlan_66 circuit-id 1045 vap-group v6fw ip 172.17.0.1/27 172.17.0.31
configure circuit v6fw_vlan_66 circuit-id 1045 vap-group v6fw ip 172.17.0.1/27 172.17.0.31 alias 2001:4958:5:f001::1/64    #Assign IPv6 address
configure interface ethernet 1/5     #Assign the circuit to an interface
configure interface ethernet 1/5 logical ext_mgmt ingress-vlan-tag 213 213     #Add a logical with the ingress tag, logical name: ext_mgmt, tag 213, 给interface加vlan tag.
configure interface ethernet 1/5 logical ext_mgmt ingress-vlan-tag 213 213 circuit extfw_vlan_213     #Assign the circuit to this interface, 合并interface和circuit.
configure interface ethernet 1/9
configure interface ethernet 1/9 logical v6_vlan666 ingress-vlan-tag 666 666
configure interface ethernet 1/9 logical v6_vlan666 ingress-vlan-tag 666 666 circuit v6fw_vlan_666
configure interface ethernet 1/10
configure interface ethernet 1/10 logical v6_vlan66 ingress-vlan-tag 66 66
configure interface ethernet 1/10 logical v6_vlan66 ingress-vlan-tag 66 66 circuit v6fw_vlan_66

Configure Internal Sync Interface

configure circuit extfw_sync circuit-id 1026     #Create Sync circuit
configure circuit extfw_sync circuit-id 1026 device-name extsync
configure circuit extfw_sync circuit-id 1026 link-state-resistant    #Configure the circuit with the link-state-resistant parameter to ensure that the circuit stays up if the physical interface goes down.

configure circuit extfw_sync circuit-id 1026 vap-group extfw
configure circuit extfw_sync circuit-id 1026 vap-group extfw ip 2.2.2.1/24 2.2.2.255 increment-per-vap 2.2.2.3

configure interface-internal extfw_sync
configure interface-internal extfw_sync logical-all extfw_sync
configure interface-internal extfw_sync logical-all extfw_sync circuit extfw_sync   #assign the synchronization circuit to the interface.