Configuring the NAT Policy

This chapter outlines the process of configuring NAT64 (Network Address Translation from IPv6 to IPv4) on a Check Point Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

NAT64 is a technology that enables communication between IPv6-only clients and IPv4-only servers. The configuration involves defining rules on a Check Point Security Gateway to translate packet headers using the IPv4/IPv6 Translation Algorithm (RFC 6145). The Security Gateway performs N:M translation, supporting scenarios like Hide NAT behind a single IPv4 address or a range of addresses.

Getting Started with NAT

  1. Learn about types of NAT Rules and types of NAT Methods (below in this topic).

  2. Follow the applicable procedure:

  3. Configure the applicable NAT advanced settings (see Advanced NAT Settings).

  4. Install the Access Control Policy.


NAT (Network Address Translation) is a feature of the Firewall Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. and replaces IPv4 and IPv6 addresses to add more security. NAT protects the identity of a network and does not show internal IP addresses to the Internet.

The Security Gateway can change:

  • The source IP address in a packet.

  • The destination IP address in a packet.

  • The TCP / UDP port in a packet.

Types of NAT Rules

In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., you can create these types of NAT rules:

NAT Rules

How to create these NAT rules?

How to change these NAT rules?

Automatic NAT Rules

Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. creates these rules automatically based on the NAT settings you configure in objects' properties (on the NAT page)

You must change the NAT settings in objects' properties on the NAT page.

Manual NAT RuleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.

You create these rules, select all objects and the NAT method.

You change these rules.

Important - A Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. / Domain Management Server supports a maximum of 16384 NAT rules in one policy. See sk82220.

Types of NAT Methods

You can configure one of these NAT methods for Automatic NAT Rules and in Manual NAT RulesClosed Manual configuration of NAT rules by the administrator of the Check Point Management Server.:

NAT Rules in SmartConsole

The NAT Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase. has two sections in that specify how the IP addresses and Ports are translated:

  • Original - with columns Source, Destination, and Services

  • Translated - with columns Source, Destination, and Services

Order of NAT Rule Enforcement

The Security Gateway enforces the NAT Rule Base in a sequential manner - in the order you place the rules in the NAT Policy (see the No. column).

The Security Gateway enforces Automatic NAT and Manual NAT rules in different ways.