NAT and the Correction Layer in the VSNext / Traditional VSX Mode

In the VSNext / Traditional VSX Mode, the guidelines in NAT and the Correction Layer on a Security Gateway apply to each Virtual Gateway / Virtual System individually.

For best results, manage an entire session by a specified Virtual Gateway / Virtual System on the same Security Group Member.

When a Virtual Switch (junction) connects several Virtual Gateways / Virtual Systems, the same session can be handled by one Virtual Gateway / Virtual System on one Security Group Member, and by another Virtual Gateway / Virtual System on a different Security Group Member.

When a packet reaches a Virtual Gateway / Virtual System from a junction, the Stateless Correction Layer checks the distribution again according to the Distribution Mode configured on the WRP interface. It can decide to forward the packet to a different Security Group Member.

In addition, on each Virtual Gateway / Virtual System, the stateful Correction Layer can forward session packets, similar to the Security Gateway.

All forwarding operations have a performance impact.

Therefore, the Distribution Mode configuration should minimize forwarding operations.

To achieve optimal distribution between Security Group Members in a Security Group in the VSNext / Traditional VSX Mode:

NAT Rules

Guidelines

Not using NAT rules on any Virtual Gateway / Virtual System

Set the Distribution Mode to General.

Using NAT rule on at least one Virtual Gateway / Virtual System

  • On the Virtual Gateways / Virtual Systems that use NAT rules:

    • Set the Distribution Mode to User for the networks hidden behind NAT.

    • Set the Distribution Mode to Network for the destination networks.

  • On the remaining Virtual Gateways / Virtual Systems that do not use NAT rules:

    • Set the Distribution Mode to User for the internal networks.

    • Set the Distribution Mode to Network for the external networks.

For information about the Distribution Mode, see Working with the Distribution Mode.