Automatic NAT and Access Rules

Automatic NAT and Access rules for CloudGuard Auto Scaling automatically configure the NAT and Access rules in the Security Policy based on the Internal Application gateway's listeners and tags.

Important - This configuration is only for:

  • VMSS in Azure that uses the Application gateway.

  • AWS Auto Scale Group solutions

For AWS, this feature is part of the CloudGuard Auto Scaling for AWS solution, see CloudGuard Network for AWS Auto Scale Group Deployment Guide.

Prerequisites

  • CME Take 137 or higher installed on the Security Management Server or Multi-Domain Server.

  • CME controller used for this VMSS with reader permissions for Application gateway resources in Azure.

  • A deployed CloudGuard for Azure VMSS solution that uses both an external and internal Application gateway.

    For more information, see the Virtual Machine Scale Sets (VMSS) for Azure R80.10 and Higher Administration Guide > Section Deploy Internal Application Gateway.

Mandatory Configuration

To enable this feature, these tags are required on the internal Application gateway:

Key

Value

Example

x-chkp-management

The name of the Management Server

my-management

x-chkp-template

The name of the configuration template selected when the Virtual Machine Scale Sets (VMSS) for Azure was setup.

my-configuration-template

Note - When this feature is enabled, CME starts to configure NAT and Access rules for Application gateways with the above tags that match the current management and configuration template. See Enabling Automatic NAT and Access Rules in CME.

Best Practice - To prevent unexpected behavior, we recommend to stop CME before this configuration, and to restart it after the configuration is complete.

NAT Rule Generated

No

Original Source

Original Destination

Original Services

Translated Source

Translated Destination

Translated Services

Installed On

1

See below for more information

LocalGatewayExternal

See below for more information

LocalGatewayInternal

NAT Method: Hide

The Internal Application gateway frontend IP private address

Listener port and protocol. See below for more information.

VMSS instance

Column

Values

Original Source

The traffic to the VMSS instances is initiated from the external Application gateway subnet.

By default, the original source is the internal Application gateway VNET.

To change this, see Customizing Original Source in the NAT Rule.

Important - In an environment with VNET peering (the external and internal Application gateways are on different VNETS).

You must change the Original Source to be the external Application gateway subnet or VNET.

Original Services

If the listener listens to protocol HTTP using port 80 or HTTPS using port 443, the original service port is:

  • 9080 for port 80

  • 9443 for port 443

If not, the original service is the same as the listener Protocol and Port.

Translated Services

To change the Original Services, see Customizing Original and Translated Services in the NAT Rule.

Example:

Listener Protocol and Port

Original Service

Translated Service

HTTP and port 81

HTTP and port 81

HTTP and port 81

HTTP and port 80

HTTP and port 9080

HTTP and port 80

HTTP and port 443

HTTP and port 9443

HTTP and port 443

Access Rule Generated

Source

Destination

VPN

Services & Applications

Action

Track

Install On

The same as the Original Source in the corresponding NAT rule

LocalGatewayExternal

Any

The same as the Original Services in the corresponding NAT rule

Accept

Log

VMSS instance

See the Virtual Machine Scale Sets (VMSS) for Azure R80.10 and Higher Administration Guide > Section Creating Dynamic Objects LocalGatewayInternal and LocalGatewayExternal.

Customizing Original and Translated Services in the NAT Rule

To customize the ports for Original Services, or to configure multiple internal Application gateways to listen to other ports, tag the internal Application gateway as follows:

Key

Value

Example

x-chkp-forwarding

A space-separated list of <PROTOCOL>-<ORIGIN-PORT>-<DESTINATION-PORT> items to represent the forwarding rules it is necessary to use

  • HTTP-9081-80

  • HTTP-9081-80 HTTPS-9444-443

Attribute

Description

<PROTOCOL>

Allowed values: HTTP or HTTPS

<ORIGINAL-PORT>

The port, to which the external Application gateway forwards the traffic.

<DESTINATION-PORT>

The listener port on the internal Application gateway.

If the <DESTINATION-PORT> matches an existing internal Application gateway port, the Original Services in the NAT rule is a CPM service composed of <PROTOCOL> and <ORIGINAL-PORT>.

If there is no match, another rule is created that uses the tag value:

  • Original Services: CPM service composed of <PROTOCOL> and <ORIGINAL-PORT>

  • Translated Services: CPM service composed of <PROTOCOL> and <DESTINATION-PORT>

Examples:

Listener protocol and port

x-chkp-forwarding

Original Services

Translated Services

HTTP and port 81

HTTP-9981-81

HTTP and port 9981

HTTP and port 81

HTTP and port 81

HTTP-9999-99

HTTP and port 81

HTTP and port 81

 

 

HTTP and port 9999

HTTP and port 99

Customizing Original Source in the NAT Rule

To allow traffic from a specific IP addresses or networks based on their CIDRs, tag the internal Application gateways as follows:

Best Practice - We recommend to use this tag with the external Application gateway subnet.

Key

Value

Example

x-chkp-source-cidrs

A list of space-separated network/mask, from which the traffic is allowed

10.0.0.0/24 192.168.0.0/24

Examples:

VMSS VNET

x-chkp-source-cidrs

Original Source

10.0.0.0/16

Not configured

10.0.0.0/16

10.0.0.0/16

10.0.0.0/24

10.0.0.0/24

Enabling Automatic NAT and Access Rules in CME

To enable Automatic NAT and Access rules, run:

autoprov_cfg set template -tn <CONFIGURATION-TEMPLATE-NAME> -an

When the feature is enabled, CME starts to configure NAT and Access rules based on the Application gateway's x-chkp_management and x_chkp-template tags.

To disable Automatic NAT and Access rules, run:

autoprov_cfg delete template -tn <CONFIGURATION-TEMPLATE-NAME> -an

After the feature is disabled:

  1. CME removes the existing NAT and Access rules that were automatically created for this template.

  2. CME does not add NAT and Access Rules for new instances.

(Optional) Automatic Rule Placement

By default, automatic Access and NAT rules for each VMSS instance are added at the top of the rulebase.

Sometimes it is recommended to add the rules in a specific place in the policy rather than at the top.

You can achieve this by creating a section for these rules in SmartConsole, and specifying the section name in CME configuration.

  1. In SmartConsole, in the applicable Security Policy, create a New Section:

    1. To create a New Section, right-click on below a rule number.

    2. Select Create New Section, click Below.

    3. Enter the name for the New Section and make sure to record the name.

    4. Publish the SmartConsole session.

  2. Connect to command line on the Security Management Server.

  3. Log in to the Expert mode.

  4. Run this command:

    autoprov_cfg set template -tn <CONFIGURATION-TEMPLATE-NAME> -secn <SECTION-NAME>

    • Replace <CONFIGURATION-TEMPLATE-NAME> with the name of the configuration template configured with the Automatic NAT and Access rules feature (for example, my-configuration-template).

    • Replace <SECTION-NAME> with the name of the section created in Step 1.

If the section is specified in the configuration template, but not found in the rule base, the rule is added at the top by default.

Note - The changes above occur only for new VMSS instances. The existing rules stay the same.

To change the section in which new automatic Access and NAT rules are added, run:

autoprov_cfg set template -tn <CONFIGURATION-TEMPLATE-NAME> -secn <SECTION-NAME>

To add the new automatic Access and NAT rules to the top of the rule base, run:

autoprov_cfg delete template -tn <CONFIGURATION-TEMPLATE-NAME> -secn

Known Limitations

  • The feature works only with:

    • Azure Application gateways

    • AWS Auto Scale Group solutions

    Azure Load Balancers (layer 4) are currently not supported.

  • These ports used with Auto Scaling groups in AWS are not supported:

    • x-chkp-ignore-ports

    • x-chkp-http-ports

    • x-chkp-https-ports

    • x-chkp-ssl-ports

    • x-chkp-source-object