topic Re: GNAT curiosity in Firewall and Security Management

GNAT curiosity

Luis_Miguel_Mig — Mon, 01 Mar 2021 14:02:03 GMT

I was looking at the new GNAT feature and considering it as something good to have but then I realized that it is not recommended if the number of core workers is less than 6.
I am just curious about what is the reason.
In my environment I am running 3 core workers for example.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk165153

Re: GNAT curiosity

PhoneBoy — Mon, 01 Mar 2021 16:57:57 GMT

It may be that when you don’t have enough cores to work with, there isn’t enough of a benefit of GNAT.
It’s a good question, though.

Re: GNAT curiosity

Luis_Miguel_Mig — Mon, 01 Mar 2021 17:20:43 GMT

Well in my case with 3 workers I guess that I could *3 the pool size which is quite good.
Perhaps there may be a negative performance impact more noticeable with less workers ?

Re: GNAT curiosity

Timothy_Hall — Mon, 01 Mar 2021 19:51:15 GMT

The pooling of source ports for Hide NAT between the various worker cores will be statically assigned if there are less than 6 worker cores. In this case it is more likely for a certain worker core to run out of source ports if it happens to draw a large number of connections from the Dynamic Dispatcher that are Hide NATted behind the same outside IP address.

When there are 6 or more worker cores present, Hide NAT source port pooling is fully dynamic between all the worker cores. This effect was mentioned in the second edition of my book (because it required a manual kernel tweak to enable dynamic allocation), but removed from the third edition once dynamic allocation became automatically enabled with 6+ worker cores defined. See here: sk103656: Dynamic NAT port allocation feature