- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: (nat disallows)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
(nat disallows)
Hi
Why would NAT disallow SecureXL templating?
Running this debug:
fwaccel dbg -m tmpl + tmpl
Shows messages like this one:
cphwd_create_template: Trying to create template for conn: <dir 1, 10.10.51.96:51137 -> 8.8.8.8:53 IPP 17>
Sep 27 15:37:00 2024 fw01 kernel:[fw4_1];cphwd_get_sdwan_templates_info: sdwan not active. tmpl allowed
Sep 27 15:37:00 2024 fw01 kernel:[fw4_1];get_connkey_template: Conn <dir 1, 10.10.51.96:51137 -> 8.8.8.8:53 IPP 17> cannot be offloaded as template (nat disallows)
Sep 27 15:37:00 2024 fw01 kernel:[fw4_1];get_connkey_template: template is not possible. flags=0x40000048, unsupported_flags=0x40000048 reason: NAT Disallowed Conn
fwaccel stat
+---------------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+---------------------------------------------------------------------------------+
|0 |KPPAK |enabled |Sync,Mgmt,eth1-01, |Acceleration,Cryptography |
| | | |eth1-03,eth1-04 | |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,3DES,DES,AES-128,AES-256,|
| | | | |ESP,LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256, |
| | | | |SHA384,SHA512 |
+---------------------------------------------------------------------------------+
Accept Templates : enabled
Drop Templates : enabled
NAT Templates : enabled
LightSpeed Accel : disabled
Running this command:
fwaccel templates -R
Shows that Prevented By Policy Rules |272089470 |60.340 % decreasing and NAT Disallowed Conn |55142899 |12.229 % increasing!
fwaccel templates -R
Matched connections not allowed to use templates:
% Prevention : 1.278%
Reason Count Reason Prevented From Matched %
Non-Syn/Empty First Packet |311689 |0.827 %
Src/dst IP Blacklisted |170192 |0.452 %
Dynamic VPN Connection |2 |0.000 %
--------------------
Connections failed to create templates:
% Fail to Create : 76.029%
Reason Count Reason Fail To Create %
NON TCP/UDP PROTO |4814005 |1.068 %
Conn Not Accelerated |9462382 |2.098 %
NAT Disallowed Conn |55142899 |12.229 %
DHCP Check Feature Isn't Supported Or Disabled|15 |0.000 %
General Error |1037801 |0.230 %
Malicious Destination IP Detected |285648 |0.063 %
Prevented By Policy Rules |272089470 |60.340 %
What could be wrong in the NAT rules that prevents templating?
I haven't found any information about this in the admin guides.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
https://support.checkpoint.com/results/sk/sk153832
I know below sk shows R80.20 and lower, but I see same values in R81.20
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My lab.
Andy
************************
[Expert@CP-GW:0]# fw ctl get int cphwd_nat_templates_support
cphwd_nat_templates_support = 1
[Expert@CP-GW:0]# fw ctl get int cphwd_nat_templates_enabled
cphwd_nat_templates_enabled = 1
[Expert@CP-GW:0]# cpinfo -y fw1
This is Check Point CPinfo Build 914000248 for GAIA
[FW1]
HOTFIX_TEX_ENGINE_R8120_AUTOUPDATE
HOTFIX_INEXT_NANO_EGG_AUTOUPDATE
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 84
HOTFIX_R80_40_MAAS_TUNNEL_AUTOUPDATE
HOTFIX_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE
HOTFIX_GOT_TPCONF_AUTOUPDATE
FW1 build number:
This is Check Point's software version R81.20 - Build 037
kernel: R81.20 - Build 045
[Expert@CP-GW:0]#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From sk32578, Accelerated NAT is not supported if:
- NAT64 / NAT46 when it is not a TCP / UDP protocol.
- Early NAT (VoIP).
- The protocol is not TCP / UDP / SCTP.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Our environment is clean IPv4
No VOIP
Because 70% of all connections are not templating, these connections (70%) cannot be other than TCP or UDP
95% of NAT rules have service=any
using
fwaccel dbg -m default + nat
I could find this log:
Sep 28 19:11:00 2024 fw01 kernel:[fw4_5];cphwd_create_template: Trying to create template for conn: <dir 1, 10.8.0.12:53318 -> 199.77.120.120:53 IPP 17>
Sep 28 19:11:00 2024 fw01 kernel:[fw4_5];cphwd_get_nat_templates_info: nat template is not allowed (fwx)
What does fwx mean?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Might be worth opening TAC case to investigate this further.
fwx_cache is used to cache all NAT table policy lookups.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you only seeing this NAT disallow for DNS (UDP 53) traffic? Is Anti-bot enabled? It could be the new R81.20 under-the-hood DNS protections (sk178487 & sk175623) keeping the NAT template from being formed to ensure a full rulebase lookup in F2F/slowpath, and causing Deep Inspection to happen on a Firewall Worker Core to implement these features. That would be my guess.
now available at maxpowerfirewalls.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anti-bot is active under Autonomous Threat prevention
get_connkey_template: template is not possible. flags=0x40000028, unsupported_flags=0x40000028 reason: NAT Disallowed Conn
I could not find any other "disallow" log
So, is that a normal process to disallow NAT tamplating?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
While I'm with @Timothy_Hall this is probably related to the DNS protections in R81.20, suggest opening a TAC case to confirm this is expected behavior.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Should we expect that the 'Prevented By Policy Rules' metric decreases while 'NAT Disallowed Conn' increases at the same rate?
By comparing the outputs of the fwaccel templates -R
command above and here, is it expected that as the first value declines, the second is rising proportionally?!
fwaccel templates -R
Matched connections not allowed to use templates:
% Prevention : 1.317%
Reason Count Reason Prevented From Matched %
Non-Syn/Empty First Packet |380192 |0.892 %
Src/dst IP Blacklisted |181168 |0.425 %
Dynamic VPN Connection |2 |0.000 %
--------------------
Connections failed to create templates:
% Fail to Create : 74.072%
Reason Count Reason Fail To Create %
NON TCP/UDP PROTO |4977799 |1.037 %
Conn Not Accelerated |10075926 |2.100 %
NAT Disallowed Conn |66885040 |13.940 %
DHCP Check Feature Isn't Supported Or Disabled|22 |0.000 %
General Error |1065069 |0.222 %
Malicious Destination IP Detected |294264 |0.061 %
Prevented By Policy Rules |272106949 |56.712 %
-------------------
fw01>
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Prevented by Policy Rules refers to the Access Policy, not NAT.
NAT has it's own entry in fwaccel templates output.
Pretty sure these counters are since last reboot (or possibly last cpstop/cprestart).
Which is why, after you made the changes we suggested, that counter is going down.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Prevented By Policy Rules is going down that is correct, but NAT Disallowed Conn is going up at the same rate.
So, if Prevented By Policy Rules goes down with 1%, NAT Disallowed Conn goes 1% up.
NON TCP/UDP PROTO |4986278 |1.036 %
Conn Not Accelerated |10148333 |2.109 %
NAT Disallowed Conn |67469139 |14.023 %
DHCP Check Feature Isn't Supported Or Disabled|22 |0.000 %
General Error |1065685 |0.221 %
Malicious Destination IP Detected |294399 |0.061 %
Prevented By Policy Rules |272139968 |56.564 %
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That begs the question: what precise changes were made in your rulebase?
What did the rules look like before?
This is probably going to require TAC.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That makes total sense, agree.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First of all i had a rule with "logical server" (we managed to remove it) that was blocking SecureXL, then
I followed what Tim Hall said here:
https://community.checkpoint.com/t5/General-Topics/VPN-disturbances/m-p/226354#M37793
"you have a blade other than "Firewall" enabled in the top/parent layer of a unified/inline policy implementation."
In my case, it was the URL Filtering blade that was enabled on multiple inline layers within the access policy. After deactivating these, the Prevented By Policy Rules began to decrease, while NAT Disallowed Conn started to increase.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah, yes, I remember the conversation now.
Have you opened a TAC case on this yet?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not yet, I am trying to understand what is happening first 😀
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To come to the understanding you are seeking, specific debugs will need to be done.
I'd start with these: https://support.checkpoint.com/results/sk/sk60343
Depending on what those debugs say, TAC may need to be involved to make further progress.