Support Center > Search Results > SecureKnowledge Details
Connections with Hide NAT are dropped during policy installation due to NAT port allocation failure when CoreXL is enabled Technical Level
Symptoms
  • On Check Point appliances with over 12 CoreXL FW instances, connections from the Security Gateway with Hide NAT are dropped with no logging information.

  • Kernel debug ('fw ctl zdebug -m fw + drop xlate') shows:
    fw_first_packet_xlation: NAT rulematch failed (INBOUND) (ret=-1)
    fw_log_drop: Packet ... dropped by fw_first_packet_xlation Reason: NAT rulematch failed
Cause

During policy installation, NAT port allocation fails due to the lack of available global ports for all CoreXL FW instances.

By default, the amount of global ports is 5 000 (range is between 60 000 and 65 000), and these ports are shared between all CoreXL FW instances.


Solution
Note: To view this solution you need to Sign In .