This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
YshayM
Participant
‎2026-02-15 12:25 AM

NAT rulematch required drop

hey,

we have one firewall that every ssh connection that goes through it has a delay of 5 seconds, and it happens only on the first connection, after the first connection the next connections are immediate for few minutes, and after some time with no activity it happens again.

after some troubleshooting i saw this log 3 times when it happened using fw ctl zdebug + drop

fw_log_drop_ex: Packet proto=6 10.0.0.1:6489 -> 10.20.20.20:22 dropped by fw_first_packet_xlation Reason: NAT rulematch required HOLD - vanishing packet;

the gateway in question is R81.20 take 41

currently i am out of options why that happens, i would be grateful if someone could help me. 

Labels
0 Kudos
8 Replies
Gaurav_Pandya
MVP
MVP
‎2026-02-16 02:13 AM

Reason for this error is due to gateway couldn't determine the correct NAT translation for the first packet, it is often due to NAT port exhaustion, misconfigured Hide NAT rules, or hidden protocol issues (like GRE/SIP).

Check logs for "NAT port is not enough": Confirms port exhaustion.

Verify NAT Rules: Ensure the manual or automatic NAT rule is active, correct, and matches the packet source/destination.

Check for Hide NAT Limits: Review if many devices are sharing one IP. You may need to add more IPs to the NAT pool.

Debug Traffic: Run fw ctl zdebug + drop | grep xlate or fw ctl zdebug -m fw + drop xlate to see exact failure reason.

YshayM
Participant
‎2026-02-16 10:47 PM
In response to Gaurav_Pandya

in debug i see the correct NAT rule is matched, and we dont have any issues with it.

also we dont have NAT exhaustion or something like that.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2026-02-16 05:39 AM

1) Do you have domain objects used in your Access Control policy, especially non-FQDN ones?  If so, and the firewall has URL filtering enabled, you really should replace them with Custom Application/Site objects if they only need to match web-based traffic.

sk184096: First packet delays for around 10 seconds due to pending WSDNSD DNS lookup over TCP

sk182103: Initial packet (SYN or 1st UDP) to a specific subnet is delayed for 6 seconds

2) Also, check your DNS settings in the gateway's Gaia OS, and ensure all configured DNS servers are correct and responding quickly with nslookup/dig.  Removing any slow/nonexistent DNS servers will help a lot.

3) Less likely, but it could be Hide NAT port exhaustion. Search your logs for "NAT Hide Failure" or "exhausted".  You can also view the top 2 NAT pools with the highest utilization live on the cpview screen Advanced...NAT...Pool-IPv4.  You can increase the number of top NAT pools displayed from 2 to up to 200 by tweaking the fwx_alloc_top_pools_num kernel variable.

New Book: "Max Power 2026" Coming Soon
Check Point Firewall Performance Optimization
YshayM
Participant
‎2026-02-16 11:00 PM
In response to Timothy_Hall

we dont have NAT port exhaustion.

we do have some non-FQDN domains, i will take a look on those sk you mentioned, and try to clean as much non-FQDN domains from our policy, it is on production so i believe it will take me few days

i'll give an update after i check it

0 Kudos
Gaurav_Pandya
MVP
MVP
‎2026-02-17 02:43 AM
In response to YshayM

You can validate this by placing an SSH connection rule above the existing FQDN rules.
As a best practice, when FQDN‑based rules are in use, all critical connections or high‑priority rules should always be positioned above the FQDN rules in the rule hierarchy.

0 Kudos
YshayM
Participant
‎2026-02-17 05:41 AM
In response to Gaurav_Pandya

i tried it but the issue still persist

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-02-17 05:42 AM
In response to YshayM

You may wish to open TAC case to check why this happens via remote session.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-02-16 05:53 AM

I was just about to send you 2nd sk Tim referenced. To me, seems most relevant in your case.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events