SecureXL NAT Templates

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk71200
Technical Level
Product	SecureXL
Version	R75.40 (EOL), R75.40VS (EOL), R75.45 (EOL), R75.46 (EOL), R75.47 (EOL), R76 (EOL), R77 (EOL), R77.10 (EOL), R77.20 (EOL), R77.30 (EOL), R80.10 (EOL), R80.20 (EOL)
OS	SecurePlatform 2.6, Gaia
Platform / Model	All
Date Created	18-Apr-2012
Last Modified	22-Apr-2020

Solution

Background:

Using SecureXL Templates for NAT traffic is critical to achieve high session rate for NAT.
SecureXL Templates are supported for Static NAT and Hide NAT using the existing SecureXL Templates mechanism.
SecureXL NAT Templates are supported in cluster in High Availability / VRRP, and Load Sharing modes.
SecureXL Templates are supported by VSX Virtual Systems.
SecureXL NAT Templates feature in SecureXL is disabled by default on Check Point Security Gateway R80.10 and below. All template handling in versions R80.20 and above has moved to the Firewall, and is not relevant to SecureXL .
SecureXL implements NAT Templates only once these templates are offloaded by FireWall kernel.

Procedure:

SecureXL NAT Templates feature is controlled via the following global kernel parameters:

Kernel Parameter	Accepted values	Description
`cphwd_nat_templates_support`	0 1	Indicates whether the SecureXL device should support NAT templates: 0 = SecureXL device should not support NAT templates (default) 1 = SecureXL device should support NAT templates
`cphwd_nat_templates_enabled`	0 1	Enables / disables the NAT templates feature 0 = Disables the NAT templates feature (default) 1 = Enables the NAT templates feature
Relevant in R76SP.x versions:
`cphwd_nat_templates_user_force`	0 1 2	Indicates whether the SecureXL device will enforce NAT templates: 0 = NAT templates will be enabled automatically (distribution dependent) 1 = Force SecureXL Nat templates enablement 2 = Force SecureXL NAT templates disablement

Important Note: The only officially supported way to enable / disable the SecureXL NAT templates is by setting the relevant kernel parameters in $FWDIR/boot/modules/fwkern.conf file. Enabling / disabling the SecureXL NAT templates on-the-fly with 'fw ctl set int' command is NOT supported.

Configuration steps:

Note: In cluster environment, this procedure must be performed on all members of the cluster.

To enable SecureXL NAT templates on Check Point Security Gateway:
1. Create the $FWDIR/boot/modules/fwkern.conf file (if it does not already exit):
  [Expert@HostName]# touch $FWDIR/boot/modules/fwkern.conf
2. Edit the $FWDIR/boot/modules/fwkern.conf file in Vi editor:
  [Expert@HostName]# vi $FWDIR/boot/modules/fwkern.conf
3. Add the following lines (spaces and comments are not allowed):
  cphwd_nat_templates_support=1 cphwd_nat_templates_enabled=1
4. Save the changes and exit from Vi editor.
5. Check the contents of the $FWDIR/boot/modules/fwkern.conf file:
  [Expert@HostName]# cat $FWDIR/boot/modules/fwkern.conf
6. Reboot the Security Gateway.
7. Check the status of SecureXL NAT templates:
```
[Expert@FW]# fwaccel stat

Accelerator Status : on
Accept Templates   : enabled
Drop Templates     : disabled
NAT Templates      : enabled
```
To disable SecureXL NAT templates on Check Point Security Gateway:
1. Unset the kernel parameters:
  - Either delete the relevant lines from the $FWDIR/boot/modules/fwkern.conf file
  - Or set the values of kernel parameters to 0 (zero) in the $FWDIR/boot/modules/fwkern.conf file
2. Reboot the Security Gateway.
3. Check the status of SecureXL NAT templates:
```
[Expert@FW]# fwaccel stat

Accelerator Status : on
Accept Templates   : enabled
Drop Templates     : disabled
NAT Templates      : disabled
```

Limitations:

There are factors that disable SecureXL Templates.
Refer to sk32578 - SecureXL Mechanism - section "Connection establishment acceleration ("templates" mechanism)".

Background:

Procedure:

Limitations:

Related documentation:

Related solutions: