Started loving R80.10, but still need to explore more.
Have a question :Whether R80.10 supports Hide behind many ip address (like range or pool of address), or still we need to divide the sources if the scaling crosses 50k ports.
It's a little more complicated than just 50,000 connections going to the same destination, as described here: Dynamic NAT port allocation feature
In general, though, you can only specify one address as the source IP for a HIDE address, which should still also apply to R80.10.
probably in future releases.Thanks Dameon for prompt reply.
Sorry to come in so late on this thread, but what I would call "many-to-fewer" hide NAT is most definitely possible via manual NAT rules and has been around since R75. It is not really documented but it definitely does work, subject to the following:
1) Manual NAT must be used
2) In Original Source put the inside network object to hide
3) Translated Source of the manual NAT rule MUST be a IP Address Range object (a network object will not work), configured with the routable range of "fewer" addresses to hide behind
4) By default after adding the range object in Translated Source it will be set to static, right-click and force it to Hide
5) Because you are almost certainly plucking these "fewer" addresses from your routable range of addresses located on the dirty subnet between the firewall's external interface and the perimeter router, you must add manual static proxy ARPs for ALL addresses in the "fewer" range. Failing to add static proxy ARPs for every address in the "fewer" range will cause random-looking failures for some internal hosts and not others.
If you are running R80.10 gateway though check out sk114395: Automatic creation of Proxy ARP for Manual NAT rules on Security Gateway R80.10. Edit: I recently saw a many-to-fewer NAT setup utilizing this new Auto Proxy ARP feature on a R80.10 gateway and it worked great!
As I recall the selection of which "fewer" IP address to hide a particular internal host behind depends on that host's IP address. So if we are using 192.168.1.0/24 internally and hiding behind 188.8.131.52 - 184.108.40.206, internal host 192.168.1.3 might draw 220.127.116.11 for all its connections while 192.168.1.134 might draw 18.104.22.168 for all its connections. I don't think the "fewer" address associated to an internal IP will ever change though (unless the "fewer" IP range changes) so there must be some kind of static hash function at work here. This behavior is mentioned here:
sk105302: Traffic NATed behind an Address Range object is always NATed behind the same IP address
The even distribution of internal addresses to external "fewer" addresses will never be perfect of course, but will allow one to go well beyond the 50k limit of concurrent connections being hidden by a single hide NAT rule. I just tried it in my R80.10 lab for grins and this setup still works.
-- My book "Max Power: Check Point Firewall Performance Optimization" now available via http://maxpowerfirewalls.com.
Thanks a lot Tim, this really helps.
Here is screenshot from the Second Edition of my book Max Power that summarizes how to set this up:
-- My Book "Max Power: Check Point Firewall Performance Optimization" Second Edition Coming Soon
Retrieving data ...