Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
GregorioLujan
Explorer

NAT Timeout

Hello.

Platform:   ClusterXL (Two 15600 Gateways)   Active/Passive

Version:    R80.10

In the internet traffic in which I perform translation whit one public-IP (PAT) in a NAT policy, I observe the following:

Same combination of Tranlated-Source.IP-address + Tranlated-Source-Port (different Dest.Address) is used few seconds after is used in another TCP session.

Do you know haw can I verify the NAT timeout (time after the gateway can use the same "Tranlated-Source.IP-address + Tranlated-Source-Port")?

Can I change thie timeout or change this behabiour?


In the file attached, same Tranlated-Source.IP-address and Tranlated-Source-Port are used every few seconds, at:

12:39:13
12:39:10
12:39:05

I need to avoid that.

 

Thank you very much.

0 Kudos
2 Replies
Timothy_Hall
Champion Champion
Champion

What value is being displayed by this command:

fw ctl get int fwx_nat_dynamic_port_allocation_entry_timeout

It should display 120 seconds, which is how long the firewall is supposed to wait before reusing a Hide NAT source IP/source port combo, see sk103656: Dynamic NAT port allocation feature

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
GregorioLujan
Explorer

Hello.

Thank you very much Timothy for reply.

The output is 120 seconds.
"fwx_nat_dynamic_port_allocation_entry_timeout = 120"


As I understand it, "Dynamic NAT port allocation" is not enabled in my gateways:

For R80.10
Note: When the Number of CoreXL FW instances is less than 6, the Dynamic NAT port allocation is disabled by default.

fwx_nat_dynamic_port_allocation
On versions R80.10 and above: 1 - enable dynamic NAT port allocation only when the number of CoreXL FW instances is greater than 5

Output for "fw ctl get int fwx_nat_dynamic_port_allocation" >> fwx_nat_dynamic_port_allocation = 1


And I supose the value of "fwx_nat_dynamic_port_allocation_entry_timeout" (120 secods), aply when Dynamic NAT port allocation is enabled.

 


On the other hand, I am not sure if the value of "fwx_nat_dynamic_port_allocation_entry_timeout" [Amount of time (in seconds) the Security Gateway will wait before reusing old/previously used ports] aply only to the connecions to the same destination IP address:

"The ranges are also keyed by the Destination IP address, so each Destination IP address gets a separate allocation."


In my case, I need to the gateway not use the same port even if it is to a different address, at least until after a few minutes if possible

 

Thank you, regards.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events