topic Re: NAT Timeout in Firewall and Security Management

NAT Timeout

GregorioLujan — Fri, 27 Aug 2021 10:23:49 GMT

Hello.

Platform: ClusterXL (Two 15600 Gateways) Active/Passive

Version: R80.10

In the internet traffic in which I perform translation whit one public-IP (PAT) in a NAT policy, I observe the following:

Same combination of Tranlated-Source.IP-address + Tranlated-Source-Port (different Dest.Address) is used few seconds after is used in another TCP session.

Do you know haw can I verify the NAT timeout (time after the gateway can use the same "Tranlated-Source.IP-address + Tranlated-Source-Port")?

Can I change thie timeout or change this behabiour?

In the file attached, same Tranlated-Source.IP-address and Tranlated-Source-Port are used every few seconds, at:

12:39:13
12:39:10
12:39:05

I need to avoid that.

Thank you very much.

Re: NAT Timeout

Timothy_Hall — Fri, 27 Aug 2021 11:54:51 GMT

What value is being displayed by this command:

fw ctl get int fwx_nat_dynamic_port_allocation_entry_timeout

It should display 120 seconds, which is how long the firewall is supposed to wait before reusing a Hide NAT source IP/source port combo, see sk103656: Dynamic NAT port allocation feature

Re: NAT Timeout

GregorioLujan — Mon, 30 Aug 2021 07:17:04 GMT

Hello.

Thank you very much Timothy for reply.

The output is 120 seconds.
"fwx_nat_dynamic_port_allocation_entry_timeout = 120"

As I understand it, "Dynamic NAT port allocation" is not enabled in my gateways:

For R80.10
Note: When the Number of CoreXL FW instances is less than 6, the Dynamic NAT port allocation is disabled by default.

fwx_nat_dynamic_port_allocation
On versions R80.10 and above: 1 - enable dynamic NAT port allocation only when the number of CoreXL FW instances is greater than 5

Output for "fw ctl get int fwx_nat_dynamic_port_allocation" >> fwx_nat_dynamic_port_allocation = 1

And I supose the value of "fwx_nat_dynamic_port_allocation_entry_timeout" (120 secods), aply when Dynamic NAT port allocation is enabled.

On the other hand, I am not sure if the value of "fwx_nat_dynamic_port_allocation_entry_timeout" [Amount of time (in seconds) the Security Gateway will wait before reusing old/previously used ports] aply only to the connecions to the same destination IP address:

"The ranges are also keyed by the Destination IP address, so each Destination IP address gets a separate allocation."

In my case, I need to the gateway not use the same port even if it is to a different address, at least until after a few minutes if possible

Thank you, regards.