Automatic NAT and Access Rules

Automatic NAT and Access rules for CloudGuard Auto Scaling automatically configure the NAT and Access rules in the Security Policy based on the Internal Application gateway's listeners and tags.

Important - This configuration is only for:

  • VMSS in Azure that uses the Application gateway.

  • AWS Auto Scale Group solutions

For AWS, this feature is part of the CloudGuard Auto Scaling for AWS solution, see sk112575.

Prerequisites

  • CME take 137 or higher installed on the Security Management Server or Multi-Domain Server.

  • CME controller used for this VMSS with reader permissions for Application gateway resources in Azure.

  • A deployed CloudGuard for Azure VMSS solution that uses both an external and internal Application gateway.

    For more information, see the Virtual Machine Scale Sets (VMSS) for Azure R80.10 and Higher Administration Guide > Section Deploy Internal Application Gateway.

Mandatory Configuration

To enable this feature, these tags are required on the internal Application gateway:

Key

Value

Example

x-chkp-management

The name of the Management Server

my-management

x-chkp-template

The name of the configuration template selected when the Virtual Machine Scale Sets (VMSS) for Azure was setup.

my-configuration-template

Note - When this feature is enabled, CME starts to configure NAT and Access rules for Application gateways with the above tags that match the current management and configuration template. See Enabling Automatic NAT and Access Rules in CME.

Best Practice - To prevent unexpected behavior, we recommend to stop CME before this configuration, and to restart it after the configuration is complete.

NAT Rule Generated

No

Original Source

Original Destination

Original Services

Translated Source

Translated Destination

Translated Services

Installed On

1

See below for more information

LocalGatewayExternal

See below for more information

LocalGatewayInternal

NAT Methode: Hide

The Internal Application gateway frontend IP private address

Listener port and protocol. See below for more information.

VMSS instance

Access Rule Generated

Source

Destination

VPN

Services & Applications

Action

Track

Install On

The same as the Original Source in the corresponding NAT rule

LocalGatewayExternal

Any

The same as the Original Services in the corresponding NAT rule

Accept

Log

VMSS instance

See the Virtual Machine Scale Sets (VMSS) for Azure R80.10 and Higher Administration Guide > Section Creating Dynamic Objects LocalGatewayInternal and LocalGatewayExternal.

Customizing Original and Translated Services in the NAT Rule

To customize the ports for Original Services, or to configure multiple internal Application gateways to listen to other ports, tag the internal Application gateway as follows:

Key

Value

Example

x-chkp-forwarding

A space-separated list of <PROTOCOL>-<ORIGIN-PORT>-<DESTINATION-PORT> items to represent the forwarding rules it is necessary to use

  • HTTP-9081-80

  • HTTP-9081-80 HTTPS-9444-443

Examples:

Listener protocol and port

x-chkp-forwarding

Original Services

Translated Services

HTTP and port 81

HTTP-9981-81

HTTP and port 9981

HTTP and port 81

HTTP and port 81

HTTP-9999-99

HTTP and port 81

HTTP and port 81

 

 

HTTP and port 9999

HTTP and port 99

Customizing Original Source in the NAT Rule

To allow traffic from a specific IP addresses or networks based on their CIDRs, tag the internal Application gateways as follows:

Best Practice - We recommend to use this tag with the external Application gateway subnet.

Key

Value

Example

x-chkp-source-cidrs

A list of space-separated network/mask, from which the traffic is allowed

10.0.0.0/24 192.168.0.0/24

Examples:

VMSS VNET

x-chkp-source-cidrs

Original Source

10.0.0.0/16

Not configured

10.0.0.0/16

10.0.0.0/16

10.0.0.0/24

10.0.0.0/24

Enabling Automatic NAT and Access Rules in CME

To enable Automatic NAT and Access rules, run:

autoprov_cfg set template -tn <CONFIGURATION-TEMPLATE-NAME> -an

When the feature is enabled, CME starts to configure NAT and Access rules based on the Application gateway's x-chkp_management and x_chkp-template tags.

To disable Automatic NAT and Access rules, run:

autoprov_cfg delete template -tn <CONFIGURATION-TEMPLATE-NAME> -an

After the feature is disabled:

  1. CME removes the existing NAT and Access rules that were automatically created for this template.

  2. CME does not add NAT and Access Rules for new instances.

(Optional) Automatic Rule Placement

By default, automatic Access and NAT rules for each VMSS instance are added at the top of the rulebase.

Sometimes it is recommended to add the rules in a specific place in the policy rather than at the top.

This can be achieved by creating a section for these rules in SmartConsole, and specifying the section name in CME configuration.

If the section is specified in the configuration template, but not found in the rule base, the rules is added at the top by default.

Note - The changes above occur only for new VMSS instances. The existing rules stay the same.

Known Limitations

  • The feature works only with:

    • Azure Application gateways

    • AWS Auto Scale Group solutions

    Azure Load Balancers (layer 4) are currently not supported.

  • These ports used with Auto Scaling groups in AWS are not supported:

    • x-chkp-ignore-ports

    • x-chkp-http-ports

    • x-chkp-https-ports

    • x-chkp-ssl-ports

    • x-chkp-source-object

  • This feature is not compatible with Check Point's CloudGuard Network Remote Access VPN for VMSS feature.