Hide NAT Behind Range – Sticky per SGM (asg_hide_behind_range)
This feature uses the capability of hide NAT behind range to increase the amount of hide NAT ports per SGM.
When defining NAT rules with a range of translated sources, each SGM can receive a separate hide NAT address, and therefore can use a full range of hide NAT ports (instead of the range being divided between the SGMs).
Note: To safely use this feature, the security policy must be configured such that every NAT rule uses a range object (of at least 24 addresses) as a translated source (see comments).
Syntax
asg_hide_behind_range [-v|-s|on|off]
Parameter
|
Description
|
-v
|
Make sure that the current policy does not contain hide NAT rules with a translated source smaller than 24 addresses.
|
-s
|
Show current status
|
on
|
Enable feature
|
off
|
Disable feature
|
Example
> asg_hide_behind_range on
Configuration succeeded.
Note: In order to apply the changes all SGMs must be rebooted.
Important:
This feature will only affect NAT rules which have a range of at least 24 addresses defined as the translated source.
Note: Manual NAT rules require local.arp configuration.
Notes
- Changes are applied after a reboot.
- Hide NAT behind range rules are manual NAT rules (see Proxy ARP for Manual NAT).
- It is not guaranteed that a given source address will always be translated to the same NAT address. This is only a certainty if all connections from the source address are handled by the same SGM.
- Hide NAT rules with a translated source that is either a range smaller than 24 addresses, or a single hide address, are not compatible with this feature. The above applies to implied rules as well.
- If the security policy contains such rules, it is not guaranteed that each SGM will hide traffic that matches them behind an address different than all other SGMs. This may result in port conflicts; e.g. different connections might appear as one and the same after NAT, both in terms of IP address and source port.
|
