Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Network Address Translation (NAT)

  • Monitor subscriber port utilization (cSRX, MX240, MX480, MX960, SRX1500, SRX1600, SRX2300, SRX4200, SRX4300, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX3.0)―Use Carrier Grade Network Address Translation (CGNAT) to monitor and manage port utilization. Configure threshold limits to receive notifications when port or port block usage exceeds these thresholds.

    If a pool is configured as Port Block Allocation (PBA) and a subscriber uses more port blocks than the threshold, a notification is generated.

    For Deterministic NAT (DETNAT) pools, if a subscriber uses more ports than the threshold in the allocated block, a notification is generated.

    [See pool-utilization-alarm (Security Source NAT Pool) and pool (Security Source NAT).]

  • PMI support for DS-Lite tunnel (cSRX, SRX1600, SRX2300, SRX4100, SRX4200, SRX4300, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX3.0)―Enhance DS-Lite tunnel performance by reducing instruction cache misses and optimizing the packet processing path. Use Packet Management Interface (PMI) for DS-Lite tunnel processing, which includes: encapsulate IPv4 packets within an IPv6 header using Vector Packet Processing (VPP), decapsulate by stripping the IPv6 header to process the inner IPv4 packet, and handling post-fragmentation of DS-Lite encapsulated traffic if it exceeds the tunnel's Maximum Transmission Unit (MTU).

    [See IPv6 Dual-Stack Lite]

  • Support for DS-Lite fragmentation (SRX Series Firewall)―Configure the pre-fragmentation and post-fragmentation MTU options on Dual-Stack Lite (DS-Lite) tunnels.

    • Pre-fragmentation–Enable or disable pre-fragmentation or clear the df bit in the IP packet.

    • Post-fragmentation–Enable or disable post-fragmentation to fragment the IPv6 packet. By default, post-fragmentation is off. When enabled, the IPv6 packet fragments; otherwise, if the MTU exceeds, an ICMP error message is sent to the originator.

    [See softwire-name.]

  • NAT IPv6 with DS-Lite in SOF (SRX4600, SRX5400, SRX5600, and SRX5800 firewalls with IOC3 card)―Use NAT IPv6 with Dual-Stack Lite (DS-Lite) service offload to encapsulate IPv4 packets with IPv6 headers to enable traversal through IPv6 networks. This feature offloads DS-Lite packet processing to the Network Processing Unit (NPU), optimizing performance and reducing CPU load on the Services Processing Unit (SPU). Enable service offload for a DS-Lite softwire concentrator (SC) using the set security softwires softwire-name service-offload command. Disable it with the set security softwires softwire-name service-offload off command. New sessions will not be offloaded, but existing ones remain unchanged.

    [See IPv6 Dual-Stack Lite]