fwx_alloc is the table that maps real source ports with Security Gateway's allocated source ports, used for NAT.
A possible deployment locates clients "A" and "B" behind a Security Gateway, with 'NAT Hide' activated. Both NATed clients could, accidentally, use the same source port "X" and connect to the same server.
This means that client "A" with source port "X" behind a Security Gateway connects to server "S", and client "B" also with source port "X" behind the same Security Gateway also connects to server "S". Server "S" sees both connections as being the same, since both connections have the source IP of the Security Gateway and the same source port "X". This situation is problematic.
To avoid such a scenario, it is necessary to manage the source port of 'NAT Hidden' connections. This is done by using the fwx_alloc table. The size of this table can be adjusted in the properties of Gateway's object: General -> Capacity Optimization -> modify the value of Maximum concurrent connections. This will modify the size limit of both the "Connections" table and NAT "fwx_alloc" table.
If adjusting the table size that way does not work, the procedure below is suggested:
Warning: Check Point does not recommend modifying the size of fwx_alloc table manually. If you decide to do so, consult Check Point Support about how to proceed.
By default, the size of the fwx_alloc table is 25000. You can increase the table size by manually changing the nat_limit attribute of the Gateway's object in the $FWDIR/conf/objects_5_0.C file on the Security Management Server.
Note: The attribute is part of the Global Properties object (i.e. 'firewall_properties' under 'properties' table). You can modify the global property via GuiDbEdit. Global Properties can still be modified in R80.x via GuiDbEdit.
Note: When you change the value of nat_limit in $FWDIR/conf/objects_5_0.C on the Management Server, then that also modifies the following tables/properties:
- 'fwx_alloc' table
- 'fwx_auth' table
- 'fwx_max_conns' kernel parameter
You can manually verify this by typing in the following commands:
- [Expert@HostName]# fw tab -t fwx_alloc | grep limit
- [Expert@HostName]# fw tab -t fwx_auth | grep limit
- [Expert@HostName]# fw ctl get int fwx_max_conns
The maximal theoretical possible number of concurrent hidden connections per destination is 65536 (assuming the same Destination Port), as there are only 16 bits for the Source Port in TCP/UDP protocols.
In certain situations, you can increase the maximum number of connections. In the following cases, the same ports can be re-used, to improve scalability:
- Using different IP addresses in Hide NAT settings.
- Connections using different IP protocols - TCP/UDP.
- Connections to different servers.
To delete all connections from the NAT cache and NAT allocation tables, run:
- [Expert@HostName]# fw tab -t fwx_alloc -x
- [Expert@HostName]# fw tab -t fwx_cache -x -y
Press 'y' to confirm the deletion.
Note: NAT tables are not cleared upon Security Policy installation.
Use of the hide_alloc_attempts parameter when checking the
When a new port allocation request is received, the system looks at the last allocated port, and then checks if the next port is already allocated. If the next port is not already allocated, the request can be granted.
If the next port is already allocated, the system continues to check if each successive port is already allocated. This process continues hide_alloc_attempts times, and then, if no free port is found, the port allocation request is denied.
For example, assuming 'hide_alloc_attempts=30', and the last allocated port was '25555'. The system starts checking with port '25556', and continues until port '25586'. If no port is found available, the system returns an error.
Note: This port range is cyclic. This means that once the maximal port number is checked, the system continues checking from port 10000 (the first port in the table).
Note: Change hide_alloc_attempts parameter via GuiDBedit.
Related Solutions :
- This sk is merged with sk32202