This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
GregorioLujan
Explorer
‎2021-08-27 03:23 AM

NAT Timeout

Hello.

Platform:   ClusterXL (Two 15600 Gateways)   Active/Passive

Version:    R80.10

In the internet traffic in which I perform translation whit one public-IP (PAT) in a NAT policy, I observe the following:

Same combination of Tranlated-Source.IP-address + Tranlated-Source-Port (different Dest.Address) is used few seconds after is used in another TCP session.

Do you know haw can I verify the NAT timeout (time after the gateway can use the same "Tranlated-Source.IP-address + Tranlated-Source-Port")?

Can I change thie timeout or change this behabiour?


In the file attached, same Tranlated-Source.IP-address and Tranlated-Source-Port are used every few seconds, at:

12:39:13
12:39:10
12:39:05

I need to avoid that.

 

Thank you very much.

Preview file
35 KB
0 Kudos
2 Replies
Timothy_Hall
Legend Legend
Legend
‎2021-08-27 04:54 AM

What value is being displayed by this command:

fw ctl get int fwx_nat_dynamic_port_allocation_entry_timeout

It should display 120 seconds, which is how long the firewall is supposed to wait before reusing a Hide NAT source IP/source port combo, see sk103656: Dynamic NAT port allocation feature

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
GregorioLujan
Explorer
‎2021-08-30 12:17 AM
In response to Timothy_Hall

Hello.

Thank you very much Timothy for reply.

The output is 120 seconds.
"fwx_nat_dynamic_port_allocation_entry_timeout = 120"


As I understand it, "Dynamic NAT port allocation" is not enabled in my gateways:

For R80.10
Note: When the Number of CoreXL FW instances is less than 6, the Dynamic NAT port allocation is disabled by default.

fwx_nat_dynamic_port_allocation
On versions R80.10 and above: 1 - enable dynamic NAT port allocation only when the number of CoreXL FW instances is greater than 5

Output for "fw ctl get int fwx_nat_dynamic_port_allocation" >> fwx_nat_dynamic_port_allocation = 1


And I supose the value of "fwx_nat_dynamic_port_allocation_entry_timeout" (120 secods), aply when Dynamic NAT port allocation is enabled.

 


On the other hand, I am not sure if the value of "fwx_nat_dynamic_port_allocation_entry_timeout" [Amount of time (in seconds) the Security Gateway will wait before reusing old/previously used ports] aply only to the connecions to the same destination IP address:

"The ranges are also keyed by the Destination IP address, so each Destination IP address gets a separate allocation."


In my case, I need to the gateway not use the same port even if it is to a different address, at least until after a few minutes if possible

 

Thank you, regards.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events