When operating CheckPoint’s Quantum Spark 1570 and similar appliances, it is a common practice to port-forward services that should be exposed to the internet. One could create a “server”, lets say for WireGuard VPN on port 51820 and forward this specific port to one specific machine on the local network.

The Quantum Spark appliance will do the rest, like adding a firewall rule to actually allow the traffic. Et voila, you can connect to your WireGuard VPN.

However when using the dynamic NAT feature, which is the default, at some point your service, in my case WireGuard, could be blocked again. Specifically after restarting the appliance when using IPv4+IPv6.

Why is that? Dynamic NAT rules on the 1570 use Dynamic Objects (objects that reference the current IP of an interface). After reboot, especially with IPv6 auto-configuration (SLAAC/DHCPv6), the interface’s IPv6 address or prefix changed. NAT rules referencing the old dynamic object no longer match the new interface address. The firewall throws the SK166457 error.

Solution? Use a non-changing IPv6 network or set the NAT to static. Likely the NAT will be IPv4 only, so it is perfectly fine to statically bind to a single, external IPv4.

So far I had a mixed experience with CheckPoint and Quantum Spark devices. Sometimes things are overcomplicated. But the worst part: Pretty much all of CheckPoints Knowledge Base (also the sk166457 article) is behind a login wall. That would not pose a problem, but even after creating a private account, the information stays hidden to authorized personnel with some kind of special permission. Solutions therefore must be found manually. Thats bad…