After configuring persistent NAT on an SRX, certain syslog messages are generated that start with RT_PST_NAT_BINDING. This article explains the conditions under which RT_PST_NAT_BINDING logs are generated and what each of them mean.
After configuring Persistent NAT, the SRX may generate the following syslog messages based on the syslog configuration:
RT_PST_NAT_BINDING_CREATE
RT_PST_NAT_BINDING_DELETE
RT_PST_NAT_BINDING_UPDATE
RT_PST_NAT_BINDING_MATCH
Message explanations:
RT_PST_NAT_BINDING_CREATE
Once a host generates traffic through the SRX that matches the source NAT rule with persistent-nat, the SRX creates a binding and adds an entry to its persistent NAT table. This entry can be seen using the command:
show security nat source persistent-nat-table all
The RT_PST_NAT_BINDING_CREATE message signifies this event.
RT_PST_NAT_BINDING_DELETE
This message is seen when SRX deletes the persistent NAT entry from the table.
RT_PST_NAT_BINDING_UPDATE
This message is seen only on SRX high-end devices. On SRX high-end devices with distributed hardware architecture, there is a Central Point SPU (SPU-CP) that is responsible for load-balancing sessions among multiple Flow SPUs. The SPU-CP is also responsible for allocating source NAT resources to sessions that require them, as and when requested by the Flow SPUs. When the Flow SPU creates the session, it generates the RT_PST_NAT_BINDING_UPDATE message and shows the binding status as Pending. Once confirmation is received from CP to use that port, the Flow SPU generates another RT_PST_NAT_BINDING_UPDATE message that shows the binding.
RT_PST_NAT_BINDING_MATCH
Once a persistent NAT entry is created, SRX allows bi-directional communication for a short period of time. Server to client communication on that IP/port would be permitted for that time interval.
When a new session matches the existing persistent NAT entry, the SRX will permit the traffic, create a new session and generate the RT_PST_NAT_BINDING_MATCH log.