topic Re: Netscope Failure with Hide NAT in General Topics

Netscope Failure with Hide NAT

Rick_Modisette — Mon, 23 Aug 2021 22:21:40 GMT

Hi All,

R80.40 mgmt R80.10 gateways

Trying to implement Netscope web content filtering. They are using 'conditional routing' on ports 80 and 443 to a load balancer. A static NAT works perfectly. A hide NAT is either painfully slow or get a message back from the active gateway that it can't connect to the remote site.

Any ideas on where to start?

Thank you

Re: Netscope Failure with Hide NAT

PhoneBoy — Tue, 24 Aug 2021 00:41:40 GMT

What kind of troubleshooting have you done here with tcpdump, fw ctl zdebug, or similar?
In any case, it's highly recommended you upgrade those R80.10 gateways to a newer release.

Also, in R81, you can actually build the GRE tunnel on the gateways themselves.

Re: Netscope Failure with Hide NAT

the_rock — Tue, 24 Aug 2021 01:34:25 GMT

Hide NAT is slow...hm, thats tricky problem. So if I get this right, are you saying hide nat does actually work, but with a delay? As phoneboy mentioned, I think doing those captures and debug might help. I know this might be long shot, but maybe do fwaccel off command, just to rule out securexl causing the problem.

Re: Netscope Failure with Hide NAT

Rick_Modisette — Tue, 24 Aug 2021 15:56:48 GMT

Thank you PhoneBoy.

In some initial testing, we shut down all the tunnels on the load balancer except one and captured some traffic there. Here's part of the convo so far:

Engineer:

The "Our department" segments its internal networks from the rest of the City behind a Checkpoint firewall. Several "Department's" internal networks overlap City nets so they NAT their outbound traffic. During testing we found that a 1 to 1 static NAT is successful with no performance issues. If "Department" hides the same system IP behind the external firewall interface they experience severe performance issues. If "Department" configures the same system using a many to one (PAT) they experience severe performance issues.
We captured traffic and a reset is returned. I am unsure if the reset is from netskope or the target website.

Netscope response:

With PAT implementation, traffic from multiple users will get mapped to a single inner IP and hence all traffic will land on a single worker thread. That will have a performance impact. Hence, with the current GRE implementation, it is not recommended to NAT the end user traffic before going through the GRE tunnel.

LoL This is why we are using a load balancer. I do like the idea of initiating the gre tunnel from our gateway for our department. We will see how that goes over.

Sounds like the best plan for me is to upgrade my gateways first. I will get that done and report back.....

Re: Netscope Failure with Hide NAT

Rick_Modisette — Tue, 24 Aug 2021 16:02:28 GMT

Thank you Rock. It does work once in a while. Most of the time, the browser times out. I will try your suggestion next time we get together for a test....

Re: Netscope Failure with Hide NAT

PhoneBoy — Tue, 24 Aug 2021 16:12:47 GMT

That suggests the issue is not with the Check Point appliance, but with Netskope.
In which case, doing a 1-1 NAT is definitely the recommended approach.

Re: Netscope Failure with Hide NAT

the_rock — Tue, 24 Aug 2021 17:10:02 GMT

I know TAC would ask you to do that 99% of the time anyway, so you might as well do it beforehand yourself : )