The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Hide NAT port exhaustion on Standby cluster member in ClusterXL HA mode
R77.10 (EOL), R77.20, R77.30 (EOL)
Gaia, SecurePlatform 2.6, IPSO 6.2
Platform / Model
"NAT Hide failure - there are currently no available ports for hide operation" drop logs in SmartView Tracker for connections originated from the Standby cluster member (e.g., pings to a host).
Kernel debug ('fw ctl debug -m fw + drop') on Standby cluster member shows that some connections are dropped: ;fw_log_drop_ex: Packet proto= ... dropped by fw_first_packet_xlation Reason: NAT rulematch failed
/var/log/messages file on Standby cluster member is filled with these messages for different port numbers: ;FW-1: internal error - invalid port allocation range, low_first: ..., low_last: ..., high_first: ..., high_last: ... extra_first: ..., extra_last: ..., mem index: 0, cluster size: N ;
Invalid values are assigned to kernel parameters 'fwx_low_port_quota' and 'fwx_high_port_quota', if the configured values are too large for either kernel parameter.
As a result, Hide NAT ports are exhausted on Standby cluster member.