CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 2 of 2

Thread: Benefits of enabling acceleration NAT templates

  1. #1
    Join Date
    2012-07-10
    Location
    Zurich, Switzerland
    Posts
    257
    Rep Power
    7

    Default Benefits of enabling acceleration NAT templates

    sk71200 states that "Using SecureXL Templates for NAT traffic is critical to achieve high session rate for NAT". In contrast, SecureXL templates for NAT are disabled by default.

    What benefits or gotches do we get by enabling them, given the fact that we do massive NAT?

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,226
    Rep Power
    13

    Default Re: Benefits of enabling acceleration NAT templates

    Quote Originally Posted by slowfood27 View Post
    sk71200 states that "Using SecureXL Templates for NAT traffic is critical to achieve high session rate for NAT". In contrast, SecureXL templates for NAT are disabled by default.

    What benefits or gotches do we get by enabling them, given the fact that we do massive NAT?
    This is covered in my book. Unless fwaccel stats -s shows that both Accelerated Conns AND Accelerated Packets are at least 50% (rare in most situations) there is little to be gained by enabling NAT Templates and a lot of potential risk, since the only way to turn off NAT Templates if there is a problem is to reboot. Basically if an Accept template exists for a connection, and if NAT templates are also enabled, and a NAT template exists for the connection too, SecureXL can determine the needed NAT all by itself and it will save a trip to F2F to perform a NAT rulebase lookup for the connection startup.

    However there is already a NAT cache mechanism in F2F to prevent expensive NAT policy lookups. Using NAT Templates and/or Drop Templates (Optimized drops) also seems to increase the chances of problems with SecureXL, which can include SecureXL suddenly switching itself off. NAT Templates are still off by default in R80.10 gateway. Not a fan of NAT Templates.
    Last edited by ShadowPeak.com; 2017-10-19 at 10:44.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

Similar Threads

  1. FYI: Benefits may not show in UC account
    By northlandboy in forum CCSE R70 Upgrade Exam 156-915.70 (No Longer Offered)
    Replies: 2
    Last Post: 2010-05-28, 22:41
  2. How to enable SecureXL connection templates?
    By ranvyas in forum Miscellaneous
    Replies: 0
    Last Post: 2009-09-08, 09:14
  3. Replies: 9
    Last Post: 2009-08-07, 08:45
  4. SecureXL Templates and the Rulebase
    By yheffen in forum Miscellaneous
    Replies: 4
    Last Post: 2009-04-02, 21:58
  5. Replies: 2
    Last Post: 2007-05-07, 15:57

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •