SD-WAN NAT for ISP

Introduction to NAT for each ISP

In SD-WAN Policy you can configure different NAT IP addresses for each ISP.

As a result, the selected Security Gateways apply NAT to their connections based on the corresponding ISP (WAN Link).

Other Security Gateways apply NAT to their connections based on the configuration in SmartConsole.

Note - SD-WAN Policy determines the applicable WAN Link, and then applies the configured NAT.

Configuring NAT for each ISP

Part 1 - Configuring NAT Mapping

  1. Log in to Check Point Infinity Portal.

  2. Click the top left Menu > in the section Quantum, click SD-WAN.

  3. From the left navigation panel, click Network.

  4. In the middle section, click SD-WAN Policy.

  5. In the applicable SD-WAN Policy rules, examine the Source column to calculate the number of source IP addresses in this column.

    You use this number later in the configuration of the NAT Mapping.

  6. From the top toolbar, click Manage Objects.

  7. From the top toolbar, click (New) > click NAT.

  8. In the Name field, enter a descriptive name that represents this NAT Mapping.

  9. Optional: In the Comment field, enter an applicable text that describes this NAT Mapping.

    This comment is very useful when you select this object later in the SD-WAN Policy.

  10. In the NAT Method section, select the applicable option - Hide or Static (you configure the NAT IP address later).

  11. From the toolbar, click (Add).

  12. In the NAT Gateway Configuration window:

    1. In the Gateway field, select the applicable Security Gateway.

    2. For each WAN Link, configure the required NAT behavior:

      • According to SmartConsole

        This WAN Link applies NAT to its connections based on the configuration in SmartConsole.

      • Hide Behind IP Address

        This option appears only if in the NAT Method section, you selected Hide.

        This WAN Link applies Hide NAT to its connections based on the selected value in the NAT Method section.

        Enter the required IP address, or range of IP addresses.

        Important - For a range of IP addresses, you must configure the same number of IP addresses as configured in the Source column of the applicable SD-WAN Policy rules, in which you will select this NAT Mapping.

      • Hide Behind Gateway

        This option appears only if in the NAT Method section, you selected Hide.

        This WAN Link applies Hide NAT to its connections based on the selected value in the NAT Method section.

        The Security Gateway performs Hide NAT using the IP address of the corresponding WAN Link.

      • Translated IP Address

        This option appears only if in the NAT Method section, you selected Static.

        This WAN Link applies Static NAT to its connections based on the selected value in the NAT Method section.

        Enter the required IP address, or range of IP addresses.

        Important - For a range of IP addresses, you must configure the same number of IP addresses as configured in the Source column of the applicable SD-WAN Policy rules, in which you will select this NAT Mapping.

    3. Click OK.

  13. Close the Manage Objects panel.

Part 2 - Configuring SD-WAN Policy

  1. Create a new rule, or edit an existing rule (see Configuring SD-WAN Policy).

  2. In the Translated Source (NAT) column of the rule, click the (+) icon > click the required NAT Mapping object > click OK.

    Note - You can select only one NAT Mapping object in a rule.

  3. Click OK.

  4. From the top toolbar, click Publish to save the changes.

  5. From the top toolbar, click Enforce to apply the changes.

    The orange frame on this button means there are changes that are not enforced.

    In the popup window that opens, click Publish & Enforce Policy.