This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Rick_Modisette
Participant
‎2021-08-23 03:21 PM

Netscope Failure with Hide NAT

Annotation 2021-08-23 151108.jpgHi All,

R80.40 mgmt R80.10 gateways

Trying to implement Netscope web content filtering. They are using 'conditional routing' on ports 80 and 443 to a load balancer. A static NAT works perfectly. A hide NAT is either painfully slow or get a message back from the active gateway that it can't connect to the remote site.

 

Any ideas on where to start? 

 

Thank you

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2021-08-23 05:41 PM

What kind of troubleshooting have you done here with tcpdump, fw ctl zdebug, or similar?
In any case, it's highly recommended you upgrade those R80.10 gateways to a newer release.

Also, in R81, you can actually build the GRE tunnel on the gateways themselves.

0 Kudos
Rick_Modisette
Participant
‎2021-08-24 08:56 AM
In response to PhoneBoy

Thank you PhoneBoy.

In some initial testing, we shut down all the tunnels on the load balancer except one and captured some traffic there. Here's part of the convo so far:

Engineer:

The "Our department" segments its internal networks from the rest of the City behind a Checkpoint firewall. Several "Department's" internal networks overlap City nets so they NAT their outbound traffic. During testing we found that a 1 to 1 static NAT is successful with no performance issues. If "Department" hides the same system IP behind the external firewall interface they experience severe performance issues. If "Department" configures the same system using a many to one (PAT) they experience severe performance issues.
We captured traffic and a reset is returned. I am unsure if the reset is from netskope or the target website.

 

Netscope response:

With PAT implementation, traffic from multiple users will get mapped to a single inner IP and hence all traffic will land on a single worker thread. That will have a performance impact. Hence, with the current GRE implementation, it is not recommended to NAT the end user traffic before going through the GRE tunnel.

 

LoL This is why we are using a load balancer. I do like the idea of initiating the gre tunnel from our gateway for our department. We will see how that goes over.

Sounds like the best plan for me is to upgrade my gateways first. I will get that done and report back.....

0 Kudos
PhoneBoy
Admin
Admin
‎2021-08-24 09:12 AM
In response to Rick_Modisette

That suggests the issue is not with the Check Point appliance, but with Netskope.
In which case, doing a 1-1 NAT is definitely the recommended approach.

0 Kudos
the_rock
Legend
Legend
‎2021-08-23 06:34 PM

Hide NAT is slow...hm, thats tricky problem. So if I get this right, are you saying hide nat does actually work, but with a delay? As phoneboy mentioned, I think doing those captures and debug might help. I know this might be long shot, but maybe do fwaccel off command, just to rule out securexl causing the problem.

0 Kudos
Rick_Modisette
Participant
‎2021-08-24 09:02 AM
In response to the_rock

Thank you Rock. It does work once in a while. Most of the time, the browser times out. I will try your suggestion next time we get together for a test....

the_rock
Legend
Legend
‎2021-08-24 10:10 AM
In response to Rick_Modisette

I know TAC would ask you to do that 99% of the time anyway, so you might as well do it beforehand yourself : )

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events