NAT and the Correction Layer on a VSX Gateway

In a VSX Gateway, the guidelines in NAT and the Correction Layer on a Security Gateway apply to each Virtual System individually.

For best results, manage an entire session by a specified Virtual System on the same Security Group Member.

When a Virtual Switch (junction) connects several Virtual Systems, the same session can be handled by one Virtual System on one Security Group Member, and by another Virtual System on a different Security Group Member.

When a packet reaches a Virtual System from a junction, the system VSX Stateless Correction Layer checks the distribution again according to the Distribution Mode configured on the WRP interface. It can decide to forward the packet to a different Security Group Member.

In addition, on each Virtual System, the stateful Correction Layer can forward session packets, similar to the Security Gateway.

All forwarding operations have a performance impact. Therefore, the Distribution Mode configuration should minimize forwarding operations.

To achieve optimal distribution between Security Group Members in a Security Group in VSX mode:

NAT Rules	Guidelines
Not using NAT rules on any Virtual System	Set the Distribution Mode to General.
Using NAT rule on at least one Virtual System	On the Virtual Systems that use NAT rules: Set the Distribution Mode to User for the networks hidden behind NAT. Set the Distribution Mode to Network for the destination networks. On the remaining Virtual Systems that do not use NAT rules: Set the Distribution Mode to User for the internal networks. Set the Distribution Mode to Network for the external networks.