Supported Platforms
Related Documentation
- J, LN, SRX Series
- traceoptions (Security NAT)
- traceoptions (Security Flow)
- Static NAT Configuration Overview
- Destination NAT Configuration Overview
- Source NAT Configuration Overview
- Additional Information
- Network Address Translation Feature Guide for Security Devices
Verifying NAT Configuration
Purpose
The NAT trace options hierarchy configures trace file and flags for verification purposes.
J Series and SRX Series devices have two main components: the Routing Engine (RE) and the Packet Forwarding Engine (PFE). The PFE is divided into the ukernel portion and the real-time portion.
When a NAT configuration is committed, the configuration is first checked and validated on the RE. After validation, the configuration is pushed to the PFE. The configuration is installed on the ukernel PFE, then action is taken on each packet that matches NAT rules on the real-time PFE.
For verification, you can turn on flags individually to debug NAT functionality on the RE, ukernel PFE, or real-time PFE:
- The nat-re flag records the trace of the NAT configuration validation on the RE and the configuration push to the PFE.
- The nat-pfe flag records the trace of the NAT configuration installation on the ukernel PFE.
- The nat-rt flag records the trace of the NAT rule match, and subsequent action on the real-time PFE.
The trace data is written to /var/log/security-trace by default, and can be viewed using the command show log security-trace.
 | Note: If session logging has been enabled in the policy configurations on the device, the session logs will include specific NAT details for each session. See Monitoring Policy Statistics for information on how to enable session logging and Information Provided in Session Log Entries for SRX Series Services Gateways for a description of information provided in session logs. |
Action
To verify that NAT configurations are correctly updated to the device upon commit, and that the NAT rule match and subsequent actions are correct, use the security nat traceoptions statement.
To verify that NAT translations are being applied to the traffic, and to view individual traffic flow processing with NAT translations, use both the security nat traceoptions command and the security flow traceoptions command together. The commands are used together because the NAT trace, configured using the security nat traceoptions command, is not recorded unless the flow traceoptions command is also configured.
To filter a specific flow, you can define a packet filter and use it as a traceoption:
To verify NAT traffic and to enable all traffic trace in data plane, use the traceoptions set security flow traceoptions flag basic-datapath command, as shown in the following example using a simple packet filter:
Related Documentation
- J, LN, SRX Series
- traceoptions (Security NAT)
- traceoptions (Security Flow)
- Static NAT Configuration Overview
- Destination NAT Configuration Overview
- Source NAT Configuration Overview
- Additional Information
- Network Address Translation Feature Guide for Security Devices
Modified: 2016-06-30
Supported Platforms
Related Documentation
- J, LN, SRX Series
- traceoptions (Security NAT)
- traceoptions (Security Flow)
- Static NAT Configuration Overview
- Destination NAT Configuration Overview
- Source NAT Configuration Overview
- Additional Information
- Network Address Translation Feature Guide for Security Devices
