@Moudar 

My lab.

Andy

************************

[Expert@CP-GW:0]# fw ctl get int cphwd_nat_templates_support
cphwd_nat_templates_support = 1
[Expert@CP-GW:0]# fw ctl get int cphwd_nat_templates_enabled
cphwd_nat_templates_enabled = 1
[Expert@CP-GW:0]# cpinfo -y fw1

This is Check Point CPinfo Build 914000248 for GAIA
[FW1]
HOTFIX_TEX_ENGINE_R8120_AUTOUPDATE
HOTFIX_INEXT_NANO_EGG_AUTOUPDATE
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 84
HOTFIX_R80_40_MAAS_TUNNEL_AUTOUPDATE
HOTFIX_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE
HOTFIX_GOT_TPCONF_AUTOUPDATE

FW1 build number:
This is Check Point's software version R81.20 - Build 037
kernel: R81.20 - Build 045

[Expert@CP-GW:0]#

Our environment is clean IPv4 

No VOIP

Because 70% of all connections are not templating, these connections (70%) cannot be other than TCP or UDP

95% of NAT rules have service=any

using 

fwaccel dbg -m default + nat

I could find this log:

Sep 28 19:11:00 2024 fw01 kernel:[fw4_5];cphwd_create_template: Trying to create template for conn: <dir 1, 10.8.0.12:53318 -> 199.77.120.120:53 IPP 17>
Sep 28 19:11:00 2024 fw01 kernel:[fw4_5];cphwd_get_nat_templates_info: nat template is not allowed (fwx)

What does fwx mean?

Might be worth opening TAC case to investigate this further. 

fwx_cache is used to cache all NAT table policy lookups.

Andy

Are you only seeing this NAT disallow for DNS (UDP 53) traffic?  Is Anti-bot enabled?  It could be the new R81.20 under-the-hood DNS protections (sk178487 & sk175623) keeping the NAT template from being formed to ensure a full rulebase lookup in F2F/slowpath, and causing Deep Inspection to happen on a Firewall Worker Core to implement these features.  That would be my guess.

Anti-bot is active under Autonomous Threat prevention

get_connkey_template: template is not possible. flags=0x40000028, unsupported_flags=0x40000028 reason: NAT Disallowed Conn

I could not find any other "disallow" log

So, is that a normal process to disallow NAT tamplating?

While I'm with @Timothy_Hall this is probably related to the DNS protections in R81.20, suggest opening a TAC case to confirm this is expected behavior.

Should we expect that the 'Prevented By Policy Rules' metric decreases while 'NAT Disallowed Conn' increases at the same rate?

By comparing the outputs of the fwaccel templates -R command above and here, is it expected that as the first value declines, the second is rising proportionally?!

fwaccel templates -R

Matched connections not allowed to use templates:
% Prevention : 1.317%

Reason                                  Count      Reason Prevented From Matched %

Non-Syn/Empty First Packet              |380192    |0.892     %
Src/dst IP Blacklisted                  |181168    |0.425     %
Dynamic VPN Connection                  |2         |0.000     %
--------------------

Connections failed to create templates:
% Fail to Create : 74.072%

Reason                                  Count      Reason Fail To Create %

NON TCP/UDP PROTO                       |4977799   |1.037     %
Conn Not Accelerated                    |10075926  |2.100     %
NAT Disallowed Conn                     |66885040  |13.940    %
DHCP Check Feature Isn't Supported Or Disabled|22        |0.000     %
General Error                           |1065069   |0.222     %
Malicious Destination IP Detected       |294264    |0.061     %
Prevented By Policy Rules               |272106949 |56.712    %
-------------------
fw01>

Prevented by Policy Rules refers to the Access Policy, not NAT.
NAT has it's own entry in fwaccel templates output.

Pretty sure these counters are since last reboot (or possibly last cpstop/cprestart).
Which is why, after you made the changes we suggested, that counter is going down. 

Prevented By Policy Rules is going down that is correct, but NAT Disallowed Conn is going up at the same rate.

So, if Prevented By Policy Rules goes down with 1%,  NAT Disallowed Conn goes 1% up.

NON TCP/UDP PROTO                       |4986278   |1.036     %
Conn Not Accelerated                    |10148333  |2.109     %
NAT Disallowed Conn                     |67469139  |14.023    %
DHCP Check Feature Isn't Supported Or Disabled|22        |0.000     %
General Error                           |1065685   |0.221     %
Malicious Destination IP Detected       |294399    |0.061     %
Prevented By Policy Rules               |272139968 |56.564    %

That begs the question: what precise changes were made in your rulebase?
What did the rules look like before?

This is probably going to require TAC.

That makes total sense, agree.

First of all i had a rule with "logical server" (we managed to remove it) that was blocking SecureXL, then

I followed what Tim Hall said here:

https://community.checkpoint.com/t5/General-Topics/VPN-disturbances/m-p/226354#M37793

"you have a blade other than "Firewall" enabled in the top/parent layer of a unified/inline policy implementation."

In my case, it was the URL Filtering blade that was enabled on multiple inline layers within the access policy. After deactivating these, the Prevented By Policy Rules began to decrease, while NAT Disallowed Conn started to increase.

Ah, yes, I remember the conversation now.
Have you opened a TAC case on this yet?

Not yet, I am trying to understand what is happening first 😀

To come to the understanding you are seeking, specific debugs will need to be done.
I'd start with these: https://support.checkpoint.com/results/sk/sk60343 

Depending on what those debugs say, TAC may need to be involved to make further progress.