Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Rick_Modisette
Participant

Netscope Failure with Hide NAT

Annotation 2021-08-23 151108.jpgHi All,

R80.40 mgmt R80.10 gateways

Trying to implement Netscope web content filtering. They are using 'conditional routing' on ports 80 and 443 to a load balancer. A static NAT works perfectly. A hide NAT is either painfully slow or get a message back from the active gateway that it can't connect to the remote site.

 

Any ideas on where to start? 

 

Thank you

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

What kind of troubleshooting have you done here with tcpdump, fw ctl zdebug, or similar?
In any case, it's highly recommended you upgrade those R80.10 gateways to a newer release.

Also, in R81, you can actually build the GRE tunnel on the gateways themselves.

0 Kudos
Rick_Modisette
Participant

Thank you PhoneBoy.

In some initial testing, we shut down all the tunnels on the load balancer except one and captured some traffic there. Here's part of the convo so far:

Engineer:

The "Our department" segments its internal networks from the rest of the City behind a Checkpoint firewall. Several "Department's" internal networks overlap City nets so they NAT their outbound traffic. During testing we found that a 1 to 1 static NAT is successful with no performance issues. If "Department" hides the same system IP behind the external firewall interface they experience severe performance issues. If "Department" configures the same system using a many to one (PAT) they experience severe performance issues.
We captured traffic and a reset is returned. I am unsure if the reset is from netskope or the target website.

 

Netscope response:

With PAT implementation, traffic from multiple users will get mapped to a single inner IP and hence all traffic will land on a single worker thread. That will have a performance impact. Hence, with the current GRE implementation, it is not recommended to NAT the end user traffic before going through the GRE tunnel.

 

LoL This is why we are using a load balancer. I do like the idea of initiating the gre tunnel from our gateway for our department. We will see how that goes over.

Sounds like the best plan for me is to upgrade my gateways first. I will get that done and report back.....

0 Kudos
PhoneBoy
Admin
Admin

That suggests the issue is not with the Check Point appliance, but with Netskope.
In which case, doing a 1-1 NAT is definitely the recommended approach.

0 Kudos
the_rock
Authority
Authority

Hide NAT is slow...hm, thats tricky problem. So if I get this right, are you saying hide nat does actually work, but with a delay? As phoneboy mentioned, I think doing those captures and debug might help. I know this might be long shot, but maybe do fwaccel off command, just to rule out securexl causing the problem.

0 Kudos
Rick_Modisette
Participant

Thank you Rock. It does work once in a while. Most of the time, the browser times out. I will try your suggestion next time we get together for a test....

the_rock
Authority
Authority

I know TAC would ask you to do that 99% of the time anyway, so you might as well do it beforehand yourself : )

0 Kudos