Share your Cyber Security Insights
On-Stage at CPX 2025
Simplifying Zero Trust Security
with Infinity Identity!
CheckMates Toolbox Contest 2024
Make Your Submission for a Chance to WIN up to $300 Gift Card!
CheckMates Go:
What's New in R82
OK glad to see dynamic allocation is enabled.
I assume that your hide failures are not involving ports 60,001 through 65,536, these are "Extra/Global" NAT operations that are not supported across multiple CoreXL instances and have much smaller NAT port ranges for various operations. You can read about Extra/Global NATs here: sk69480: 'NAT Hide failure - there are currently no available ports for hide operation' log appears ...
I assume you are aware of how to set up "Many to Fewer" Hide NATs as described below which is bit more convenient that defining multiple "Many to One" Hide NATs:
sk142833: How to create manual NAT rules in Many-To-Few mode
Beyond that you'll have to look into the uniqueness of destination IPs that your users are hitting, you do seem to have ~820,000 connections being handled by your firewall so I guess it's possible that there could be 50k concurrent connections from your user population all trying to hit the same destination IP via the same Hide NAT, in which case the only solution is doing more "Many to One" Hide NATs or implementing "Many to Fewer" Hide NATs as described above.
Edit: You can investigate the top 10 destination IP addresses per Hide NAT address (bbxxxx0a in this example) by doing something like this:
fw tab -u -t connections | grep -ci bbxxxx0a | awk '{ print $4 }' | sort -n | uniq -c | sort -nr | head -10
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY
