Extending the traditional Hide NAT solution, Carrier Grade NAT (CGNAT) uses improved port allocation techniques and a more efficient method for logging.
A CGNAT rule defines a range of original source IP addresses and a range of translated IP addresses. Each IP address in the original range is automatically allocated a range of translated source ports, based on the number of original IP addresses and the size of the translated range.
CGNAT port allocation is Stateless and is performed during policy installation. This way, the need for per-connection calculation is eliminated, and there is no need to synchronize these data between cluster members.
The number of ports allocated per IP address strongly depends on the amount of the available external IP addresses. To make better use of every port, CGNAT is able to identify connections that go to different destinations and reuse the same port for multiple outgoing connections.
When configuring a CGNAT rule, the number of anticipated connections must be taken into account. However, sometimes, the real needs of certain IP address exceeds the allotted port range. To overcome this, Stateful Port Allocation is performed using the global Reserved Port Pool.
This global Reserved Port Pool is mainly used for DNS requests, which require source port randomization as a measure against DNS poisoning. However, additional services may also be configured to use this pool.
Where such large numbers of connections exist, logging every connection both creates a load on the system, and too much data for the administrator to analyze efficiently.
CGNAT logs are produced only when a user connects for the first time, describing their allocated IP address and port range. Additional logs are produced either when a change is made to this allocation, or when the global reserved port pool is used for a dynamic port allocation.
Note: CGNAT does not disable connection logs, and it is the administrator choice. If administrator won't disable connection logs, both CGNAT and normal logs will be presented.
RFC 4787 compliance
RFC 4787 focuses on requirements from NAT implementation, which allow better handling of application protocols over UDP, such as gaming, VoIP, and more.
To support these requirements, the following global attributes are available:
- UDP port stickiness - When enabled (this is the default), connections from the same subscriber to different destinations will be allocated the same combination of public IP address and port.
- UDP port parity - When enabled (this is the default), the port parity of the allocated port will match the parity of the original source port.
- UDP low range - When enabled (by default, it is disabled), a source port below 1023 is allocated a hide port, which is also below 1023.
These attributes can be configured in the SmartDashboard - "
Policy" menu - "
Global Properties..." - "
NAT - Network Address Translation" pane (after any change, Network Security policy must be installed):
Note: These attributes could be configured using customized SmartDashboard. Contact Check Point Support to get the customized SmartDashboard.
What is the required Check Point License for CGNAT feature?
License SKU: CPSG-CARR
The "Carrier" license should be installed on R77.30 Security Gateways with enabled FireWall-1 GX.
Note: The "Carrier" license is installed in addition to the regular Security Gateway license.
The R77.30 Management Server does not require special licenses.
What is the required Check Point Security Gateway and Management Server for CGNAT feature?
Support for Carrier solutions (LTE suite: NAT64, GTP, SCTP, CGNAT, etc.) requires the R77.30 Add-on to be installed and enabled on the R77.30 Management Server.
For CGNAT configuration, refer to the R77 versions Firewall Administration Guide - chapter "LTE" - section "Configuring CGNAT".