Support Center > Search Results > SecureKnowledge Details
SecureXL NAT Templates
Solution

 

Background:

  • Using SecureXL Templates for NAT traffic is critical to achieve high session rate for NAT.

  • SecureXL Templates are supported for Static NAT and Hide NAT using the existing SecureXL Templates mechanism.

  • SecureXL NAT Templates are supported in cluster in High Availability / VRRP, and Load Sharing modes.

  • SecureXL Templates are supported by VSX Virtual Systems.

  • SecureXL NAT Templates feature in SecureXL is disabled by default on Check Point Security Gateway:
    [Expert@FW]# fwaccel stat
    Accelerator Status : on
    Accept Templates   : enabled
    Drop Templates     : disabled
    NAT Templates      : disabled by user
    
  • SecureXL implements NAT Templates only once these templates are offloaded by FireWall kernel.

 

Procedure:

SecureXL NAT Templates feature is controlled via the following global kernel parameters:

Kernel Parameter Accepted values Description
cphwd_nat_templates_support
  • 0
  • 1

Indicates whether the SecureXL device should support NAT templates:

  • 0 = SecureXL device should not support NAT templates (default)
  • 1 = SecureXL device should support NAT templates
cphwd_nat_templates_enabled
  • 0
  • 1

Enables / disables the NAT templates feature

  • 0 = Disables the NAT templates feature (default)
  • 1 = Enables the NAT templates feature
Relevant in R76SP.x versions:
cphwd_nat_templates_user_force
  • 0
  • 1

Indicates whether the SecureXL device will enforce NAT templates:

  • 0 = NAT templates will be enabled automatically (distribution dependent)
  • 1 = Force SecureXL Nat templates enablement
  • 2 = Force SecureXL NAT templates disablement

Important Note: The only officially supported way to enable / disable the SecureXL NAT templates is by setting the relevant kernel parameters in $FWDIR/boot/modules/fwkern.conf file. Enabling / disabling the SecureXL NAT templates on-the-fly with 'fw ctl set int' command is NOT supported.

 

Configuration steps:

Note: In cluster environment, this procedure must be performed on all members of the cluster.

  • To enable SecureXL NAT templates on Check Point Security Gateway:

    1. Create the $FWDIR/boot/modules/fwkern.conf file (if it does not already exit):

      [Expert@HostName]# touch $FWDIR/boot/modules/fwkern.conf
    2. Edit the $FWDIR/boot/modules/fwkern.conf file in Vi editor:

      [Expert@HostName]# vi $FWDIR/boot/modules/fwkern.conf
    3. Add the following lines (spaces and comments are not allowed):

      cphwd_nat_templates_support=1
      cphwd_nat_templates_enabled=1
    4. Save the changes and exit from Vi editor.

    5. Check the contents of the $FWDIR/boot/modules/fwkern.conf file:

      [Expert@HostName]# cat $FWDIR/boot/modules/fwkern.conf
    6. Reboot the Security Gateway.

    7. Check the status of SecureXL NAT templates:

      [Expert@FW]# fwaccel stat
      
      Accelerator Status : on
      Accept Templates   : enabled
      Drop Templates     : disabled
      NAT Templates      : enabled
      
  • To disable SecureXL NAT templates on Check Point Security Gateway:

    1. Unset the kernel parameters:

      • Either delete the relevant lines from the $FWDIR/boot/modules/fwkern.conf file

      • Or set the values of kernel parameters to 0 (zero) in the $FWDIR/boot/modules/fwkern.conf file

    2. Reboot the Security Gateway.

    3. Check the status of SecureXL NAT templates:

      [Expert@FW]# fwaccel stat
      
      Accelerator Status : on
      Accept Templates   : enabled
      Drop Templates     : disabled
      NAT Templates      : disabled
      

 

Limitations:

  • There are factors that disable SecureXL Templates.
    Refer to sk32578 - SecureXL Mechanism - section "Connection establishment acceleration ("templates" mechanism)".

 

Related documentation:

  • Performance Pack Administration Guide (R75.40, R75.40VS).
  • Performance Tuning Administration Guide (R76, R77).

 

Related solutions:

Applies To:
  • 00893482 , 00261928

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment