Support Center > Search Results > SecureKnowledge Details
NAT Table fwx_alloc Technical Level
Solution

Starting in R80.40 Security Gateway / Cluster members can allocate NAT ports using one global allocation table. The name of this method is GNAT. In versions R80.40 and higher, GNAT replaced dynamic port allocation and is on by default for systems with 6 or more firewall instances. For more information, see sk165153 and sk172933.

fwx_alloc is a table that maps real source ports with a Security Gateway's allocated source ports that are used for NAT. The fwx_alloc table appears in these configurations:

  • Versions lower than R80.40 - all NAT configurations (dynamic port allocation or static port allocation)
  • Versions R80.40 and higher - NAT configurations with static port allocation
Note: In GNAT configurations in versions R80.40 and higher, the fwx_alloc_global table replaced the fwx_alloc table.

In an example deployment with the fwx_alloc table, clients "A" and "B" are behind a Security Gateway with "NAT Hide" activated. 

It is possible for both "A" and "B" to use the same source port "X" and connect to the same server.  Client "A" with source port "X" behind a Security Gateway connects to server "S". Client "B", also with source port "X" behind the same Security Gateway, also connects to server "S". Server "S" sees both connections as the same, since both connections have the source IP address of the Security Gateway and the same source port "X". This situation is problematic.

To manage the source port of "NAT Hidden" connections, edit the fwx_alloc table. Change the size of this table in the properties of the Security Gateway object:

Select General -> Capacity Optimization and modify the value of Maximum concurrent connections. This modifies the size limit of the Connections table and the NAT fwx_alloc table. If this procedure does not work, follow the alternative procedure below.

Warning: Check Point does not recommend that you modify the size of fwx_alloc table manually. If you decide to do so, ask Check Point Support  how to proceed.

In earlier versions, and after an upgrade from an earlier version, by default, the size of the fwx_alloc table is 25000.  To increase the table size manually, change the nat_limit attribute of the Security Gateway's object in the $FWDIR/conf/objects_5_0.C file on the Security Management Server.

In fresh installations of later versions the size of the fwx_alloc table is unlimited.

Note: The attribute is part of the Global Properties object (firewall_properties in the properties table). You can modify the Global Properties in GuiDbEdit. 

Note: When you change the value of nat_limit in $FWDIR/conf/objects_5_0.C on the Management Server, these tables/properties are also modified:

  • fwx_alloc table
  • fwx_auth table
  • fwx_max_conns kernel parameter


You can enter these commands to manually verify changes in these tables and these properties:

  • [Expert@HostName]# fw tab -t fwx_alloc | grep limit
  • [Expert@HostName]# fw tab -t fwx_auth | grep limit
  • [Expert@HostName]# fw ctl get int fwx_max_conns

The maximum theoretical possible number of concurrent hidden connections per destination is 65536 (assuming the same Destination Port), because there are only 16 bits for the Source Port in TCP/UDP protocols. 

In certain situations, you can increase the maximum number of connections. In these cases, the same ports can be re-used, to improve scalability:

  • Using different IP addresses in Hide NAT settings
  • Connections using different IP protocols - TCP/UDP
  • Connections to different servers

 

To delete all connections from the NAT cache and NAT allocation tables, run:

  • [Expert@HostName]# fw tab -t fwx_alloc -x
  • [Expert@HostName]# fw tab -t fwx_cache -x -y

Press y to confirm the deletion.

Note: NAT tables are not cleared during Security Policy installation. 

     

    Use of the hide_alloc_attempts parameter in port checks of the fwx_alloc table

    When a new port allocation request is received, the system looks at the last allocated port, and then checks if the next port is already allocated. If the next port is not already allocated, the request can be granted.

    If the next port is already allocated, the system continues to check if each successive port is already allocated. The system checks ports for the number of times defined in hide_alloc_attempts. If no free port is found, the port allocation request is denied.

    For example, assume hide_alloc_attempts=30, and the last allocated port was 25555. The system starts checking with port 25556, and continues sequentially until port 25586. If no available port is found, the system returns an error.

    Note: This port range is cyclic. This means that once the maximal port number is checked, the system continues checking from port 10000 (the first port in the table).

    Note: Change the hide_alloc_attempts parameter in GuiDBedit.

     

    Related Solutions :

    Applies To:
    • This sk is merged with sk32202

    Give us Feedback
    Please rate this document
    [1=Worst,5=Best]
    Comment