Try out the new
CheckMates Labs!
Check Point Acquires Avanan
Learn Why Avanan and Check Point are Better Together
CheckMates Go:
The Things They're Missing
Try Check Point products
with one of our experts!
Pro Support – The Next Level Of Monitoring
Premier Event for Securing Users & Access
12th October
Hello,
We are observing the following log in /var/log/ increasing as increased traffic passes through the firewall.
[fw4_2];fw_xlate_new_conn_from_template: invalid ifn. in_ifn = 15, out_ifn = -1
[fw4_1];fw_xlate_new_conn_from_template: invalid ifn. in_ifn = 15, out_ifn = -1
[fw4_3];fw_xlate_new_conn_from_template: invalid ifn. in_ifn = 15, out_ifn = -1
"-1" as a negative value indicates an invalid exit path interface and the traffic is being black-holed as a result.
Am I right in thinking this is likely a SXL NAT Template issue? Cant find anything in the SKs regarding this specific error.
It's an r80.10 HA deployment well behind in its patching.
Anyone seen this before?
Timothy_Hall
What does output of fwaccel stat show, are NAT Templates enabled? They were not enabled by default in your release and I wouldn't recommend enabling on R80.10 especially without the latest Jumbo HFA, as there were numerous issues with NAT Templates (a sampling of the issues is below). That error looks like it is being reported by a firewall worker though and all NAT Templating operations were handled by sim/SecureXL in that version, so I'm not sure.
Hi Tim,
I should have put this in the OP but yes someone has enabled NAT templates at some point.
I also found it odd why the fw workers are complaining here.
This'll likely need to go to TAC but the response is going to be "Patch" which I've already said is required.
I've just never seen that log entry before and it seems awfully strange.
Also disabling NAT templates might be an issue as this appliance is generating hundreds of CUL messages a day and memory is threatening to creep into SWAP.
There is also table limits inherited from previous version upgrade which may be playing a part. All good fun.
Timothy_Hall
NAT Templates were not enabled by default until R80.20 when SecureXL got a serious overhaul. I'd be leery of leaving NAT Templates enabled on versions R80.10 and earlier (even if patched) due to the very rough start that feature got. NAT Templates do save CPU overhead on the Firewall Workers, so if you are getting CUL alerts it sounds like your firewall is pretty busy.
Might be worth posting the "Super Seven" outputs from your active cluster member to see if some tuning would be helpful: S7PAC - Super Seven Performance Assessment Commands
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY