Support Center > Search Results > SecureKnowledge Details
How to configure Management behind NAT in Security Gateway Technical Level
Solution

Background: Although manual/automatic static NAT is configured on the Management Server, Security Gateway 80 still fetches policy/logs to the real IP address of the Security Management Server instead of to the NAT address.

The appliance recognizes that the Security Management server is behind NAT only if the Automatic Static NAT property is configured on the Security Management server object in SmartDashboard, and "Apply for Security Gateway control connections" is selected.

Configure automatic static NAT on the Security Management Server object in SmartDashboard: 

  1. From the "Install on" drop-down list, choose the relevant gateway that performs the static NAT. 
  2. Select "Apply for Security Gateway control connections" and install policy on the appliance.

If manual NAT is already configured on the Security Management Server, there is no harm in leaving the manually created rule intact and having both of the NAT rules installed. You can also put the manual NAT rule way above the automatically created NAT rule, so the auto rule will never be actually matched. 

 Notes:

  • It is not enough to configure automatic static NAT on the Security Management Server object. "Apply for Security Gateway control connections" must be selected in order for the appliance to connect to Management Server's NAT IP address.
  • If the gateway that actually performs the static NAT on the Security Management Server is not managed by the same server that manages the appliance, the user will have to create a dummy gateway object representing the real gateway and select it in the drop-down list. Choosing the appliance from the list, and selecting the "Apply for Security Gateway control connections" property will not work.
  • A management dummy object should not be created as a Check Point host as this will cause SIC issues.
  • If management was already defined, and the user wants to change the settings of the override management / log server IP address, in the Gaia WebUI "Management Page" you have to first click the "Test connection" button, and then click on the IP address hyperlink that appears to change the settings.
  • Alternatively, you can use the following CLISH command to set the log and Management Server:
    set security-management local-override-mgmt-addr
    For example: set security-management local-override-mgmt-addr true mgmt-address 172.30.74.45 send-logs-to local-override-log-server-addr addr 172.30.74.45

Customer asked: (1100 appliance)

Q: "After following these steps, the off-site 1100 appliance connects successfully to the Security Management server and can fetch policy. However, my other on-site perimeter gateways can no longer fetch policy from the Security Management server, nor send logs to the Security Management server because it is attempting to send logs to the NAT IP instead of the real IP of the Security Management server.

A: It is possible to locally decide, on the 1100 appliance's WebUI (Security Management Server Connection screen), what will be the Management (and/or) Log server IP address that the gateway will use, and override the information in the policy.

This way it is possible to fix the issue for specific gateways without disrupting other gateways.




This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment