Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Anthony_Joubai1
Contributor

NAT Optimization

Hello,

I search everywhere PS and SE don't have this answer on R77.30

How can we optimize/clear a bit a NAT rule base, without hits count.

                                         Without SmartEvent/SmartReporter report.

An idea would be really appreciated.

R80.10 does included these features?

regards,

Anthony

9 Replies
PhoneBoy
Admin
Admin

R80.10 doesn't have a hit counter for NAT rules, either.

I don't believe there is a clean way currently short of logging everything and doing a manual evaluation.

0 Kudos
Timothy_Hall
Champion
Champion

I did cover this in my book albeit briefly (p. 245), to summarize:

The first packet of a new accepted connection that involves NAT will always make a trip to the Firewall Path (F2F) by default.  Even if you have a very large NAT rulebase, most of the time the firewall doesn't even have to look at it due to the NAT cache table which is enabled by default, and is discussed in sk21834.  Essentially the most common NAT rulebase hits are cached in a special state table that can determine the required NAT rules quite efficiently during future NAT lookups.  Once the proper NAT has been determined for that first packet in F2F, all subsequent packets of that connection are potentially eligible to be accelerated via SXL or PXL if some other blade isn't calling for deeper inspection of that connection.   This NAT caching mechanism is probably why hit counts are not available for NAT rules.

Once that first packet has been NATted and passed, the NAT rulebase and cache table is never consulted again for that connection, and as such the NAT applied to a connection's packets cannot ever change after that first packet. 

However in R75.40 a new SecureXL feature called NAT Templates was introduced which is disabled by default.  I am not a fan of this feature, mainly because it requires a firewall reboot to enable and disable.  If NAT Templates are enabled, SecureXL performs its own templating (or caching) of prior NAT lookups and the first packet's trip to F2F can be avoided if there is both an Accept Template and a NAT Template present in SecureXL for the new connection.  However in modern firewalls the vast majority of traffic is handled in PXL anyway and cannot be fully accelerated in the SXL path, so unless "fwaccel stats -s" is showing at least 50% of traffic being processed in the SXL path (not common) there is little to gain from enabling NAT Templates and potentially a lot to lose if it causes problems.  The fact that NAT Templates are still disabled by default in R80.10 gateway would seem to confirm my hesitancy to enable them.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Anthony_Joubai1
Contributor

Thanks for you answers,

To be more clear, the customer have 836FW/846NAT Rules; Admin has retired. and new admin has been hire.

They call us for optimize the rule base.

- Hits helps for rulebase.

- Reporter helps for optimize rule order.

- Unused object helps object;

No indicator helps about NAT Matches.

On SvTracker, we can get the NAT Rule Number column(hide per default). it's missing a consolidation ^^ (reporter can works about this field. Maybe a custom report, I'll work on it)

This option is missing on SmartLog.

I'm looking for UNUSED Nat rule over 860 rules. (17 years of CheckPoint history).

regards,

Anthony

0 Kudos
Anthony_Joubai1
Contributor

SmartReporter/SmartEvent are based on logs.

If a FW matches without log and go a NAT rule I'm *******.

Basicaly, I did not manage to add "nat_rulenum" or/and "nat_addtnl_rulenum" on SmartEvent.

I'm still looking for a way to determine unused nat rule on a large base; SmartOptimize doesn't cover this point. (If I good remember)

regards,

Anthony

0 Kudos
Ofir_Shikolski
Employee
Employee

you can export all logs ,with excel create a pivot table.

this will provide you all NAT rules in-use .

in case there is no hit, you can consider that NAT rule not in-use.

the next step will be to disable the NAT rule for a few days in order to verify that we did not break the connectivity .

0 Kudos
Timothy_Hall
Champion
Champion

Right, looks like the only way to determine unused NAT rules is purely through log analysis whether that involves using third party log analysis tools or SmartEvent.

However you can poke around directly in the fwx_cache table on the live gateway to see which NAT rules are being used the most.  The fwx_cache table does track the NAT rule number of cached entries, so this command I just whipped up will show the top 20 most commonly cached/hit NAT rules:

 fw tab -u -t fwx_cache  | awk '{ print $3 }' | cut -c5-8 | sort -n | uniq -c | sort -nr | head -20

Keep in mind that the rule numbers displayed here are in hexadecimal.  Using -f with this fw tab command still displays everything in hex so it doesn't help.  If one of the most commonly NAT hit rules is a manual NAT rule, moving it up in the NAT rulebase will help non-cached NAT lookup performance for that rule, but watch out for overlaps or conflicts with subsequent manual NAT rules.  Automatic NAT rules can't be moved around which is probably why the caching mechanism exists.

There are 10,000 NAT cache entries available by default in this table, to see how many are in use run this:

fw tab -t fwx_cache -s

If the current amount allocated and/or peak amounts are exactly 10,000 do not panic.  As mentioned in my book the 10,000 entries are utilized to track the most common NAT rulebase matches, and "running out" here just means there will be more actual lookups against the NAT rulebase than there otherwise would be.  The size of fwx_cache can potentially be increased as described here to improve NAT performance:

sk21834: How to modify values of properties related to NAT cache table "fwx_do_nat_cache"

However be warned that the NAT code has been around for a very very long time and hasn't really changed that much over the years, so tampering with this value on today's code versions may have unintended effects.  The NAT rulebase doesn't look like a "real" policy layer in R80+ from what I can tell since it is basically still joined at the hip with the Network Access Layer.  The inability to use Security Zones with NAT policies is another indication that the NAT rulebase is not a "real" R80+ policy layer in my opinion.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Luis_Miguel_Mig
Advisor

I have consistently more than 10000 entries in the fwx_cache and I was wondering if it is worth to increase the fwx_cache limit or enable SecureXL NAT templates. Both changes look  very unfriendly, I have read this thread and also the book "Max Power: Check Point Firewall Performance Optimization". In the book, Tim seems to be more inclined to increase the NAT cache limit, but in this post seems not be to convinced to go for neither of them. So the conclusion is that it is probably not worth it, right?

I have written a script to format the first 3 columns of fwx_cache so I can understand what it is in my fwx_cache.

I would say that the 3rd column is the destination port and the 4th column is the protocol.

One of the things that has called my attention is the amount of entries for icmp traffic. It seems that every icmp request generates an entry in the fwx_cache even if the ip is not in the NAT policy and it is not expected to be NAT'ed. How is this possible?

fw tab -t connections -f -u

16:23:03        10.10.1.2 >    : -----------------------------------(+); Direction: 1; Source: 192.168.1.25; SPort: 1; Dest: 192.168.10.100; DPort: 8134; Protocol: icmp;

fw tab -t fwx_cache -u

192.168.1.25 192.168.10.100 8134

So an obvious thing to optimize performance would be  removing icmp from the fwx_cache and leave it only for tcp/udp traffic. Is it possible?

0 Kudos
Luis_Miguel_Mig
Advisor

Just one thing that I have just discovered: for a long while I was wondering how #VALS could be higher than fwx_cache limit, but I think that I found the answer. The fwx_cache limit is set per core.

 fw tab -t fwx_cache | grep limit
dynamic, id 8116, attributes: expires 1800, refresh, , hashsize 8192, limit 10000

]# fw  tab -t fwx_cache -s
HOST                  NAME                               ID #VALS #PEAK #SLINKS
localhost             fwx_cache                        8116 30000 30000       0
# fw -i 0 tab -t fwx_cache -u | wc -l
10004
# fw -i 1 tab -t fwx_cache -u | wc -l
10004
# fw -i 2 tab -t fwx_cache -u | wc -l
10002

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events