Using a "Hide behind IP address 0.0.0.0" as the translated source object
Using IP address 0.0.0.0 as a translated source IP address may have been a workaround in past versions of Check Point.
However, the functionality is effectively the same as using Automatic Address Translation. Granlularity and selectivity for enforcing translation are taken away from the administrator and may have unintended consequences.
In complex network environments, where the administrator may need to enforce NAT between different internal and external network segments, it is highly recommended as Best Practices to explicitly define the source of the translated packet in a NAT rule.
For example, the administrator may need to create a Host object containing the cluster Virtual IP of one of the cluster interfaces, and use this as the translated source object in a NAT rule.
Check Point allows this because NAT rules, as well as security rules, use the defined objects' IP address and netmask for making Layer 3 decisions. The use of an "overlapping" IP address in this additional Host object is not a problem.
Therefore, as much as possible, we do recommend to administrators of complex systems to use Manual NAT rules over Automatic NAT rules, and to use additional Host objects in place of Security Gateways / Clusters, when hiding behind non-external interfaces.
Imported from Nokia support database