Checkpoint manual NAT configuration is a quite useful method to remedy the weakness of auto nat . For me, I always mix them according to different scenarios although there are quite discussion which is better in a dispute  CPUG post. Use auto nat as possible as I can when starting projects or network, then slowly to roll out manually NAT when complexity components added.

LAB+v4.0.png?resize=640%2C505LAB+v4.0.png?resize=640%2C505

Here is a recent scenario which manual NAT used. Client need to use 10.9.30.53 to access DMZ sftp server 172.17.3.53. Auto NAT should be able to resolve it in 30 seconds configuration. Unfortunately, sftp server 172.17.3.53 is facing multiple checkpoint firewalls and it has to be nat-ed to another segment as well. So manually nat will be the only choice here.

1. Enable Manual NAT from global properties

NAT1.png?resize=640%2C356NAT1.png?resize=640%2C356

2. Create Manual NAT rule

nat+rule+1.png?resize=640%2C19nat+rule+1.png?resize=640%2C19

3. Add manual proxy arp entry into local.arp file
echo “10.9.30.53 AA:BB:CC:DD:EE” >> $FWDIR/conf/local.arp
note: AA:BB:CC:DD:EE is the mac address of your SPLAT firewall 10.9.30.42 interface. If use clustering implementation, all of cluster members local.arp file need to be modified based on member’s interface mac address.

4. Push policy to enable NAT rule and merge this manual NAT record into arp table.

5. Verify with fw ctl arp command

[CP-FW]# fw ctl arp
 (10.9.30.53) at AA:BB:CC:DD:EE