NAT and the Correction Layer on a Security Gateway
For optimal system performance, one Security Group A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. Member handles all traffic for a session.
With NAT, packets sent from the client to the server can be distributed to a different Security Group Member than packets from the same session sent from the server to the client.
The system Correction Layer must then forward the packet to the correct Security Group Member.
Configuring the Distribution Mode correctly keeps correction situations to a minimum and optimizes system performance.
To achieve optimal distribution between Security Group Members in a Security Group in Gateway mode:
NAT Rules |
Guidelines |
---|---|
Not using NAT rules |
Set the Distribution Mode to General. |
|