Create a Post
Showing results for 
Search instead for 
Did you mean: 

NAT Timeout


Platform:   ClusterXL (Two 15600 Gateways)   Active/Passive

Version:    R80.10

In the internet traffic in which I perform translation whit one public-IP (PAT) in a NAT policy, I observe the following:

Same combination of Tranlated-Source.IP-address + Tranlated-Source-Port (different Dest.Address) is used few seconds after is used in another TCP session.

Do you know haw can I verify the NAT timeout (time after the gateway can use the same "Tranlated-Source.IP-address + Tranlated-Source-Port")?

Can I change thie timeout or change this behabiour?

In the file attached, same Tranlated-Source.IP-address and Tranlated-Source-Port are used every few seconds, at:


I need to avoid that.


Thank you very much.

0 Kudos
2 Replies
Legend Legend

What value is being displayed by this command:

fw ctl get int fwx_nat_dynamic_port_allocation_entry_timeout

It should display 120 seconds, which is how long the firewall is supposed to wait before reusing a Hide NAT source IP/source port combo, see sk103656: Dynamic NAT port allocation feature

Gateway Performance Optimization R81.20 Course
now available at
0 Kudos


Thank you very much Timothy for reply.

The output is 120 seconds.
"fwx_nat_dynamic_port_allocation_entry_timeout = 120"

As I understand it, "Dynamic NAT port allocation" is not enabled in my gateways:

For R80.10
Note: When the Number of CoreXL FW instances is less than 6, the Dynamic NAT port allocation is disabled by default.

On versions R80.10 and above: 1 - enable dynamic NAT port allocation only when the number of CoreXL FW instances is greater than 5

Output for "fw ctl get int fwx_nat_dynamic_port_allocation" >> fwx_nat_dynamic_port_allocation = 1

And I supose the value of "fwx_nat_dynamic_port_allocation_entry_timeout" (120 secods), aply when Dynamic NAT port allocation is enabled.


On the other hand, I am not sure if the value of "fwx_nat_dynamic_port_allocation_entry_timeout" [Amount of time (in seconds) the Security Gateway will wait before reusing old/previously used ports] aply only to the connecions to the same destination IP address:

"The ranges are also keyed by the Destination IP address, so each Destination IP address gets a separate allocation."

In my case, I need to the gateway not use the same port even if it is to a different address, at least until after a few minutes if possible


Thank you, regards.

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events