Checkpoint firewall have two NAT modes: Static NAT (1-to-1 internal IP to external IP) and Hide NAT, which is called "overload" in the Cisco and so on.
It is not being said in clear, but it seems that Static NAT doesn't change any port numbers, only IPs.
The Hide NAT, in contrast, changes source port on outgoing packet to some random "dynamically assigned", and then installs a rule in the table which allows for reverse packet translation. This rule is removed on clear connection end (TCP FIN, RST) or timeout. This is what basically all current NAT-capable devices always do.
I have only one external IP address, so I am required to use Hide NAT variant. However, I want to augment it slightly, as I have a very special host inside, which runs a very special service, which doesn't particularly like to have their source port number changed and randomly selected. I need to have a standard Hide NAT, which is using for "dynamic allocation" all ports except one (say don't translate anything to UDP 33333), and packets of this particular service from this particular port should be always and only translated to this port number.
In Linux I easily do this with these rules:
iptables -t nat -s MY-SPECIAL-HOST -p udp --sport MY-SPECIAL-SERVICE-PORT -j SNAT --to-source MY-WHITE-IP:MY-SPECIAL-SERVICE-PORT
iptables -t nat -s MY-LOCAL-NETWORK -p udp -j SNAT --to-source MY-WHITE-IP:10000-[MY-SPECIAL-SERVICE-PORT - 1]
iptables -t nat -s MY-LOCAL-NETWORK -j SNAT --to-source MY-WHITE-IP
(I know I limit this number of ports for outgoing UDP conversations, this is not an issue, as the actual service port is somewhere in the end of the range.)
How to achieve the same in the Checkpoint? I have GAIA R77.10 ClusterXL with two members, if this is needed.
