topic Re: (nat disallows) in Firewall and Security Management

(nat disallows)

Moudar — Fri, 27 Sep 2024 14:28:59 GMT

Why would NAT disallow SecureXL templating?

Running this debug:

fwaccel dbg -m tmpl + tmpl

Shows messages like this one:

cphwd_create_template: Trying to create template for conn: <dir 1, 10.10.51.96:51137 -> 8.8.8.8:53 IPP 17> Sep 27 15:37:00 2024 fw01 kernel:[fw4_1];cphwd_get_sdwan_templates_info: sdwan not active. tmpl allowed Sep 27 15:37:00 2024 fw01 kernel:[fw4_1];get_connkey_template: Conn <dir 1, 10.10.51.96:51137 -> 8.8.8.8:53 IPP 17> cannot be offloaded as template (nat disallows) Sep 27 15:37:00 2024 fw01 kernel:[fw4_1];get_connkey_template: template is not possible. flags=0x40000048, unsupported_flags=0x40000048 reason: NAT Disallowed Conn

Running this command:

fwaccel templates -R

Shows that Prevented By Policy Rules |272089470 |60.340 % decreasing and NAT Disallowed Conn |55142899 |12.229 % increasing!

fwaccel templates -R Matched connections not allowed to use templates: % Prevention : 1.278% Reason Count Reason Prevented From Matched % Non-Syn/Empty First Packet |311689 |0.827 % Src/dst IP Blacklisted |170192 |0.452 % Dynamic VPN Connection |2 |0.000 % -------------------- Connections failed to create templates: % Fail to Create : 76.029% Reason Count Reason Fail To Create % NON TCP/UDP PROTO |4814005 |1.068 % Conn Not Accelerated |9462382 |2.098 % NAT Disallowed Conn |55142899 |12.229 % DHCP Check Feature Isn't Supported Or Disabled|15 |0.000 % General Error |1037801 |0.230 % Malicious Destination IP Detected |285648 |0.063 % Prevented By Policy Rules |272089470 |60.340 %

What could be wrong in the NAT rules that prevents templating?

I haven't found any information about this in the admin guides.

Re: (nat disallows)

the_rock — Fri, 27 Sep 2024 14:40:52 GMT

https://support.checkpoint.com/results/sk/sk153832

I know below sk shows R80.20 and lower, but I see same values in R81.20

Andy

https://support.checkpoint.com/results/sk/sk71200

Re: (nat disallows)

the_rock — Fri, 27 Sep 2024 14:44:29 GMT

@Moudar

My lab.

Andy

************************

[Expert@CP-GW:0]# fw ctl get int cphwd_nat_templates_support
cphwd_nat_templates_support = 1
[Expert@CP-GW:0]# fw ctl get int cphwd_nat_templates_enabled
cphwd_nat_templates_enabled = 1
[Expert@CP-GW:0]# cpinfo -y fw1

This is Check Point CPinfo Build 914000248 for GAIA
[FW1]
HOTFIX_TEX_ENGINE_R8120_AUTOUPDATE
HOTFIX_INEXT_NANO_EGG_AUTOUPDATE
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 84
HOTFIX_R80_40_MAAS_TUNNEL_AUTOUPDATE
HOTFIX_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE
HOTFIX_GOT_TPCONF_AUTOUPDATE

FW1 build number:
This is Check Point's software version R81.20 - Build 037
kernel: R81.20 - Build 045

[Expert@CP-GW:0]#

Re: (nat disallows)

PhoneBoy — Fri, 27 Sep 2024 16:23:32 GMT

From sk32578, Accelerated NAT is not supported if:

NAT64 / NAT46 when it is not a TCP / UDP protocol.
Early NAT (VoIP).
The protocol is not TCP / UDP / SCTP.

Re: (nat disallows)

Moudar — Sat, 28 Sep 2024 17:35:05 GMT

Our environment is clean IPv4

No VOIP

Because 70% of all connections are not templating, these connections (70%) cannot be other than TCP or UDP

95% of NAT rules have service=any

using

fwaccel dbg -m default + nat

I could find this log:

Sep 28 19:11:00 2024 fw01 kernel:[fw4_5];cphwd_create_template: Trying to create template for conn: <dir 1, 10.8.0.12:53318 -> 199.77.120.120:53 IPP 17> Sep 28 19:11:00 2024 fw01 kernel:[fw4_5];cphwd_get_nat_templates_info: nat template is not allowed (fwx)

What does fwx mean?

Re: (nat disallows)

the_rock — Sat, 28 Sep 2024 18:13:54 GMT

Might be worth opening TAC case to investigate this further.

fwx_cache is used to cache all NAT table policy lookups.

Andy

Re: (nat disallows)

Timothy_Hall — Sun, 29 Sep 2024 19:26:22 GMT

Are you only seeing this NAT disallow for DNS (UDP 53) traffic? Is Anti-bot enabled? It could be the new R81.20 under-the-hood DNS protections (sk178487 & sk175623) keeping the NAT template from being formed to ensure a full rulebase lookup in F2F/slowpath, and causing Deep Inspection to happen on a Firewall Worker Core to implement these features. That would be my guess.

Re: (nat disallows)

Moudar — Mon, 30 Sep 2024 06:46:34 GMT

Anti-bot is active under Autonomous Threat prevention

get_connkey_template: template is not possible. flags=0x40000028, unsupported_flags=0x40000028 reason: NAT Disallowed Conn

I could not find any other "disallow" log

So, is that a normal process to disallow NAT tamplating?

Re: (nat disallows)

PhoneBoy — Mon, 30 Sep 2024 16:00:19 GMT

While I'm with @Timothy_Hall this is probably related to the DNS protections in R81.20, suggest opening a TAC case to confirm this is expected behavior.

Re: (nat disallows)

Moudar — Mon, 30 Sep 2024 17:11:11 GMT

Should we expect that the 'Prevented By Policy Rules' metric decreases while 'NAT Disallowed Conn' increases at the same rate?

By comparing the outputs of the fwaccel templates -R command above and here, is it expected that as the first value declines, the second is rising proportionally?!

fwaccel templates -R Matched connections not allowed to use templates: % Prevention : 1.317% Reason Count Reason Prevented From Matched % Non-Syn/Empty First Packet |380192 |0.892 % Src/dst IP Blacklisted |181168 |0.425 % Dynamic VPN Connection |2 |0.000 % -------------------- Connections failed to create templates: % Fail to Create : 74.072% Reason Count Reason Fail To Create % NON TCP/UDP PROTO |4977799 |1.037 % Conn Not Accelerated |10075926 |2.100 % NAT Disallowed Conn |66885040 |13.940 % DHCP Check Feature Isn't Supported Or Disabled|22 |0.000 % General Error |1065069 |0.222 % Malicious Destination IP Detected |294264 |0.061 % Prevented By Policy Rules |272106949 |56.712 % ------------------- fw01>

Re: (nat disallows)

PhoneBoy — Mon, 30 Sep 2024 18:30:27 GMT

Prevented by Policy Rules refers to the Access Policy, not NAT.
NAT has it's own entry in fwaccel templates output.

Pretty sure these counters are since last reboot (or possibly last cpstop/cprestart).
Which is why, after you made the changes we suggested, that counter is going down.

Re: (nat disallows)

Moudar — Mon, 30 Sep 2024 21:10:47 GMT

Prevented By Policy Rules is going down that is correct, but NAT Disallowed Conn is going up at the same rate.

So, if Prevented By Policy Rules goes down with 1%, NAT Disallowed Conn goes 1% up.

NON TCP/UDP PROTO |4986278 |1.036 % Conn Not Accelerated |10148333 |2.109 % NAT Disallowed Conn |67469139 |14.023 % DHCP Check Feature Isn't Supported Or Disabled|22 |0.000 % General Error |1065685 |0.221 % Malicious Destination IP Detected |294399 |0.061 % Prevented By Policy Rules |272139968 |56.564 %

Re: (nat disallows)

PhoneBoy — Tue, 01 Oct 2024 00:01:49 GMT

That begs the question: what precise changes were made in your rulebase?
What did the rules look like before?

This is probably going to require TAC.

Re: (nat disallows)

the_rock — Tue, 01 Oct 2024 00:16:21 GMT

That makes total sense, agree.

Re: (nat disallows)

Moudar — Tue, 01 Oct 2024 06:23:15 GMT

First of all i had a rule with "logical server" (we managed to remove it) that was blocking SecureXL, then

I followed what Tim Hall said here:

https://community.checkpoint.com/t5/General-Topics/VPN-disturbances/m-p/226354#M37793

"you have a blade other than "Firewall" enabled in the top/parent layer of a unified/inline policy implementation."

In my case, it was the URL Filtering blade that was enabled on multiple inline layers within the access policy. After deactivating these, the Prevented By Policy Rules began to decrease, while NAT Disallowed Conn started to increase.

Re: (nat disallows)

PhoneBoy — Tue, 01 Oct 2024 14:31:35 GMT

Ah, yes, I remember the conversation now.
Have you opened a TAC case on this yet?

Re: (nat disallows)

Moudar — Tue, 01 Oct 2024 14:34:52 GMT

Not yet, I am trying to understand what is happening first 😀

Re: (nat disallows)

PhoneBoy — Tue, 01 Oct 2024 15:57:46 GMT

To come to the understanding you are seeking, specific debugs will need to be done.
I'd start with these: https://support.checkpoint.com/results/sk/sk60343

Depending on what those debugs say, TAC may need to be involved to make further progress.