This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Muazzam
Contributor
Contributor
‎2022-09-14 01:14 PM

GNAT - Global NAT

Question: I need to find out if the GNAT (Global NAT) table includes the source ports from connections with static NAT?

We have rules with both static NAT and hide NAT for same destination. We believe that there is a possible conflict, a rare thing but happens once in a while.

So if the GNAT includes the source ports (same after static NAT) then it should not the conflict, otherwise yes.

 

 

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2022-09-16 02:22 PM

My understanding is that the GNAT process will see if the port is "free" before it uses it.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 
Whether it takes into account static and hide NAT to the same destination or not is a separate question.
What precise behavior are you seeing?

0 Kudos
Muazzam
Contributor
Contributor
‎2022-09-19 08:53 AM
In response to PhoneBoy

Thank you for your reply.

 

As I mentioned above - We have a mix of static NAT and hide NAT rules related to an outside vendor. The connections are sometimes open for hours or may be days.

 

We have rare cases where 2 different source IP addresses, going to same destination IP, using same service (tcp port), getting translated to same source NAT IP. First connection, due to its source matches the static NAT rule, the second connection matches the hide NAT rule. The static NAT rule results in NO source port translation, the hide NAT rule translates the source port.
One in 1000 (my guess) connections, the source port of first connection with static NAT matches the hide NAT source port of the second connection. Although the source IP is different but after translation 5-Tuple is same for both connections so the second connection could kill the first connection. We found couple of evidences that this is the case because our business reported a drop at the same time when the port conflict occurs.

So the question arises, if the NAT port table (fwx_alloc_global) also includes the static ports? This question has been sent to dev (via our DMD) but I am wondering if someone has experienced this already?

Note: We are on R80.20 but using the GNAT feature form R80.40+.

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2022-09-19 04:09 PM
In response to Muazzam

On the face of it, this sounds like a bug, or at least this is a condition that was not considered when this feature was implemented.
Of course that's just my opinion and someone from R&D would have to confirm.
That being said, with R80.20 being End of Support at the end of this month, I wouldn't bet on receiving a fix for this issue that doesn't involve upgrading to R80.40+.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events