This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Moudar
Advisor
yesterday

(nat disallows)

Hi

Why would NAT disallow SecureXL templating?

Running this debug: 

fwaccel dbg -m tmpl + tmpl

 

Shows messages like this one:

cphwd_create_template: Trying to create template for conn: <dir 1, 10.10.51.96:51137 -> 8.8.8.8:53 IPP 17>
Sep 27 15:37:00 2024 fw01 kernel:[fw4_1];cphwd_get_sdwan_templates_info: sdwan not active. tmpl allowed
Sep 27 15:37:00 2024 fw01 kernel:[fw4_1];get_connkey_template: Conn <dir 1, 10.10.51.96:51137 -> 8.8.8.8:53 IPP 17> cannot be offloaded as template (nat disallows)
Sep 27 15:37:00 2024 fw01 kernel:[fw4_1];get_connkey_template: template is not possible. flags=0x40000048, unsupported_flags=0x40000048 reason: NAT Disallowed Conn
 fwaccel stat
+---------------------------------------------------------------------------------+
|Id|Name     |Status     |Interfaces               |Features                      |
+---------------------------------------------------------------------------------+
|0 |KPPAK    |enabled    |Sync,Mgmt,eth1-01,       |Acceleration,Cryptography     |
|  |         |           |eth1-03,eth1-04          |                              |
|  |         |           |                         |Crypto: Tunnel,UDPEncap,MD5,  |
|  |         |           |                         |SHA1,3DES,DES,AES-128,AES-256,|
|  |         |           |                         |ESP,LinkSelection,DynamicVPN, |
|  |         |           |                         |NatTraversal,AES-XCBC,SHA256, |
|  |         |           |                         |SHA384,SHA512                 |
+---------------------------------------------------------------------------------+

Accept Templates : enabled
Drop Templates   : enabled
NAT Templates    : enabled
LightSpeed Accel : disabled

 

Running this command:

fwaccel templates -R

Shows that Prevented By Policy Rules |272089470 |60.340 % decreasing and  NAT Disallowed Conn |55142899 |12.229 % increasing!

 fwaccel templates -R

Matched connections not allowed to use templates:
% Prevention : 1.278%

Reason                                  Count      Reason Prevented From Matched %

Non-Syn/Empty First Packet              |311689    |0.827     %
Src/dst IP Blacklisted                  |170192    |0.452     %
Dynamic VPN Connection                  |2         |0.000     %
--------------------

Connections failed to create templates:
% Fail to Create : 76.029%

Reason                                  Count      Reason Fail To Create %

NON TCP/UDP PROTO                       |4814005   |1.068     %
Conn Not Accelerated                    |9462382   |2.098     %
NAT Disallowed Conn                     |55142899  |12.229    %
DHCP Check Feature Isn't Supported Or Disabled|15        |0.000     %
General Error                           |1037801   |0.230     %
Malicious Destination IP Detected       |285648    |0.063     %
Prevented By Policy Rules               |272089470 |60.340    %

What could be wrong in the NAT rules that prevents templating?

I haven't found any information about this in the admin guides.

 

0 Kudos
3 Replies
the_rock
Legend
Legend
yesterday

https://support.checkpoint.com/results/sk/sk153832

I know below sk shows R80.20 and lower, but I see same values in R81.20

Andy

https://support.checkpoint.com/results/sk/sk71200

0 Kudos
the_rock
Legend
Legend
yesterday
In response to the_rock

@Moudar 

My lab.

Andy

************************

 

[Expert@CP-GW:0]# fw ctl get int cphwd_nat_templates_support
cphwd_nat_templates_support = 1
[Expert@CP-GW:0]# fw ctl get int cphwd_nat_templates_enabled
cphwd_nat_templates_enabled = 1
[Expert@CP-GW:0]# cpinfo -y fw1

This is Check Point CPinfo Build 914000248 for GAIA
[FW1]
HOTFIX_TEX_ENGINE_R8120_AUTOUPDATE
HOTFIX_INEXT_NANO_EGG_AUTOUPDATE
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 84
HOTFIX_R80_40_MAAS_TUNNEL_AUTOUPDATE
HOTFIX_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE
HOTFIX_GOT_TPCONF_AUTOUPDATE

FW1 build number:
This is Check Point's software version R81.20 - Build 037
kernel: R81.20 - Build 045

[Expert@CP-GW:0]#

0 Kudos
PhoneBoy
Admin
Admin
yesterday

From sk32578, Accelerated NAT is not supported if:

  • NAT64 / NAT46 when it is not a TCP / UDP protocol.
  • Early NAT (VoIP).
  • The protocol is not TCP / UDP / SCTP.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events