Security Management behind NAT
Overview
Explanation
The Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. sometimes uses a private IP address (as listed in RFC 1918), or some other non-routable IP address, because of the lack of public IP addresses.
NAT (Static or Hide) for the Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. IP address can be configured in one click, while still allowing connectivity with managed Security Gateways. All Security Gateways can be controlled from the Security Management Server, and logs can be sent to the Security Management Server. NAT can also be configured for a Management High Availability Deployment and configuration mode of two Check Point Management Servers, in which they automatically synchronize the management databases with each other. In this mode, one Management Server is Active, and the other is Standby. Acronyms: Management HA, MGMT HA. server and a Log Server Dedicated Check Point server that runs Check Point software to store and process logs..
Example:
|
Item |
Description |
|---|---|
|
1 |
Primary Security Management Server.
|
|
2 |
Local Security Gateway The Remote Security Gateway connects to the Security Management Server through this Local Security Gateway. |
|
3 |
Remote Security Gateway that must connect to the Security Management Server. |
Configuring NAT for Control Connections on the Security Management Server
-
From the left navigation panel, click Gateways & Servers.
-
Double-click the Security Management Server object.
-
From the left navigation tree, click NAT.
-
Select Add Automatic Address Translation rules.
-
In the Translation method field, select Static.
-
Configure the applicable IP address.
In our example - 192.168.55.1
-
Select one of these two options:
-
Install on Gateway - The Security Gateway that performs this NAT. In our example, the local Security Gateway that is directly connected to the Security Management Server (item 2 in the diagram).
-
Do not create automatic NAT rules - The Security Management Server is behind a non-Check Point device that handles the NAT.
-
-
Connections from Security Gateways to this server. Select one of these options:
-
Based on topology configuration (use the server's translated or original IP address).
-
Use this server's original IP address.
-
Use this server's translated IP address.
-
-
Optional: Select Apply for Security Gateway control connections - This option performs NAT on VPN control connections to and from the Security Management Server. This makes it possible to install a policy or collect logs across a NAT gateway.
-
Click OK.
-
Install the Access Control Policy on the applicable Security Gateways.
Configuration on the Security Gateway
For each Security Gateway, you can decide whether to use the definitions on the Management Server / Log Server or to override the settings of the Management Server / Log Serverand configure other settings for the specific Security Gateway.
To configure management behind NAT settings for a specific Security Gateway:
-
In SmartConsole
Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., go to the Gateways & Servers view, and double-click the relevant Security Gateway object. -
In the Security Gateway object editor, from the left navigation menu, select NAT > Management / Log Servers.
-
The default option is Use Management Server / Log Server settings.
-
To override the default settings, select one of these options:
-
Use the remote server's original /translated IP address based on the topology
-
Use only the original IP address for the remote servers.
-
Use only the translated IP address for the remote servers.
-
|
|
Notes:
|
