Automatic NAT and Access Rules

Automatic NAT and Access rules for CloudGuard Auto Scaling automatically configure the NAT and Access rules in the Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. based on the Internal Application gateway's listeners and tags.

Important - This configuration is only for:

VMSS in Azure that uses the Application gateway.
AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. Auto Scale Group solutions

For AWS, this feature is part of the CloudGuard Auto Scaling for AWS solution, see CloudGuard Network for AWS Auto Scale Group Deployment Guide.

Prerequisites

CME Take 137 or higher installed on the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS..
CME controller used for this VMSS with reader permissions for Application gateway resources in Azure.
A deployed CloudGuard for Azure VMSS solution that uses both an external and internal Application gateway.

For more information, see the Virtual Machine Scale Sets (VMSS) for Azure R80.10 and Higher Administration Guide > Section Deploy Internal Application Gateway.

Mandatory Configuration

To enable this feature, these tags are required on the internal Application gateway:

Key	Value	Example
`x-chkp-management`	The name of the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.	`my-management`
`x-chkp-template`	The name of the configuration template selected when the Virtual Machine Scale Sets (VMSS) for Azure was setup.	`my-configuration-template`

Note - When this feature is enabled, CME starts to configure NAT and Access rules for Application gateways with the above tags that match the current management and configuration template. See Enabling Automatic NAT and Access Rules in CME.

Best Practice - To prevent unexpected behavior, we recommend to stop CME before this configuration, and to restart it after the configuration is complete.

NAT Rule Generated

No	Original Source	Original Destination	Original Services	Translated Source	Translated Destination	Translated Services	Installed On
1	See below for more information	LocalGatewayExternal	See below for more information	LocalGatewayInternal NAT Method: Hide	The Internal Application gateway frontend IP private address	Listener port and protocol. See below for more information.	VMSS instance

Original Source

Original Destination

Original Services

Translated Source

Translated Destination

Translated Services

Installed On

See below for more information

LocalGatewayExternal

See below for more information

LocalGatewayInternal

NAT Method: Hide

The Internal Application gateway frontend IP private address

Listener port and protocol. See below for more information.

VMSS instance

Default Values

Column

Values

Original Source

The traffic to the VMSS instances is initiated from the external Application gateway subnet.

By default, the original source is the internal Application gateway VNET.

To change this, see Customizing Original Source in the NAT Rule.

Important - In an environment with VNET peering (the external and internal Application gateways are on different VNETS).

You must change the Original Source to be the external Application gateway subnet or VNET.

Original Services

If the listener listens to protocol HTTP using port 80 or HTTPS using port 443, the original service port is:

9080 for port 80
9443 for port 443

If not, the original service is the same as the listener Protocol and Port.

Translated Services

To change the Original Services, see Customizing Original and Translated Services in the NAT Rule.

Example:

Listener Protocol and Port	Original Service	Translated Service
HTTP and port 81	HTTP and port 81	HTTP and port 81
HTTP and port 80	HTTP and port 9080	HTTP and port 80
HTTP and port 443	HTTP and port 9443	HTTP and port 443

Access Rule Generated

Source	Destination	VPN	Services & Applications	Action	Track	Install On
The same as the Original Source in the corresponding NAT rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.	`LocalGatewayExternal`	`Any`	The same as the Original Services in the corresponding NAT rule	`Accept`	`Log`	VMSS instance

See the Virtual Machine Scale Sets (VMSS) for Azure R80.10 and Higher Administration Guide > Section Creating Dynamic Objects LocalGatewayInternal and LocalGatewayExternal.

Customizing Original and Translated Services in the NAT Rule

To customize the ports for Original Services, or to configure multiple internal Application gateways to listen to other ports, tag the internal Application gateway as follows:

Key	Value	Example
`x-chkp-forwarding`	A space-separated list of `<PROTOCOL>-<ORIGIN-PORT>-<DESTINATION-PORT>` items to represent the forwarding rules it is necessary to use	`HTTP-9081-80` `HTTP-9081-80 HTTPS-9444-443`

Value Description

Attribute	Description
<PROTOCOL>	Allowed values: `HTTP` or `HTTPS`
<ORIGINAL-PORT>	The port, to which the external Application gateway forwards the traffic.
<DESTINATION-PORT>	The listener port on the internal Application gateway.

If the <DESTINATION-PORT> matches an existing internal Application gateway port, the Original Services in the NAT rule is a CPM service composed of <PROTOCOL> and <ORIGINAL-PORT>.

If there is no match, another rule is created that uses the tag value:

Original Services: CPM service composed of <PROTOCOL> and <ORIGINAL-PORT>
Translated Services: CPM service composed of <PROTOCOL> and <DESTINATION-PORT>

Examples:

Listener protocol and port	x-chkp-forwarding	Original Services	Translated Services
HTTP and port 81	`HTTP-9981-81`	HTTP and port 9981	HTTP and port 81
HTTP and port 81	`HTTP-9999-99`	HTTP and port 81	HTTP and port 81
		HTTP and port 9999	HTTP and port 99

Customizing Original Source in the NAT Rule

To allow traffic from a specific IP addresses or networks based on their CIDRs, tag the internal Application gateways as follows:

Best Practice - We recommend to use this tag with the external Application gateway subnet.

Key	Value	Example
`x-chkp-source-cidrs`	A list of space-separated network/mask, from which the traffic is allowed	`10.0.0.0/24 192.168.0.0/24`

Examples:

VMSS VNET	x-chkp-source-cidrs	Original Source
`10.0.0.0/16`	Not configured	`10.0.0.0/16`
`10.0.0.0/16`	`10.0.0.0/24`	`10.0.0.0/24`

Enabling Automatic NAT and Access Rules in CME

To enable Automatic NAT and Access rules, run:

autoprov_cfg set template -tn <CONFIGURATION-TEMPLATE-NAME> -an

When the feature is enabled, CME starts to configure NAT and Access rules based on the Application gateway's x-chkp_management and x_chkp-template tags.

To disable Automatic NAT and Access rules, run:

autoprov_cfg delete template -tn <CONFIGURATION-TEMPLATE-NAME> -an

After the feature is disabled:

CME removes the existing NAT and Access rules that were automatically created for this template.
CME does not add NAT and Access Rules for new instances.

(Optional) Automatic Rule Placement

By default, automatic Access and NAT rules for each VMSS instance are added at the top of the rulebase.

Sometimes it is recommended to add the rules in a specific place in the policy rather than at the top.

You can achieve this by creating a section for these rules in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., and specifying the section name in CME configuration.

Procedure

In SmartConsole, in the applicable Security Policy, create a New Section:
1. To create a New Section, right-click on below a rule number.
2. Select Create New Section, click Below.
3. Enter the name for the New Section and make sure to record the name.
4. Publish the SmartConsole session.
Connect to command line on the Security Management Server.
Log in to the Expert mode.

Run this command:

autoprov_cfg set template -tn <CONFIGURATION-TEMPLATE-NAME> -secn <SECTION-NAME>

Replace <CONFIGURATION-TEMPLATE-NAME> with the name of the configuration template configured with the Automatic NAT and Access rules feature (for example, my-configuration-template).
Replace <SECTION-NAME> with the name of the section created in Step 1.

If the section is specified in the configuration template, but not found in the rule base All rules configured in a given Security Policy. Synonym: Rulebase., the rule is added at the top by default.

Note - The changes above occur only for new VMSS instances. The existing rules stay the same.

Known Limitations

The feature works only with:
- Azure Application gateways
- AWS Auto Scale Group solutions
Azure Load Balancers (layer 4) are currently not supported.
These ports used with Auto Scaling groups in AWS are not supported:
- x-chkp-ignore-ports
- x-chkp-http-ports
- x-chkp-https-ports
- x-chkp-ssl-ports
- x-chkp-source-object