{{indexmenu_n>6}} ======Working with NAT Flow. How to find a subscriber after NAT====== The following components are required for this functionality to work: [[en:dpi:dpi_components:qoestor|QoE Stor Module]] и [[en:dpi:dpi_components:dpiui|SSG DPI control interface]].\\ Description for configuring NAT in QoE: [[en:dpi:dpi_components:qoestor:configuration:nat_flow]] =====Example of working with abuse letters===== This tutorial is how to find the specific subscriber who is reported abuse.\\ The abuse email usually contains a global address from a NAT pool. We need to understand which of the subscribers went to the resource where the virus activity was detected at a known time behind this NAT-pool.\\ We need to perform **two steps** — find the necessary information in the abuse email and use it to identify the subscriber in the GUI of the Stingray. ====Step 1. Research the email==== - The address from your NAT pool (source IP). - Address of the attacked resource (destination IP) - Activity time on the attacked resource //(considering the time zones!)// * **Example 1.** \\ {{dpi:opt_cgnat:cgnat_faq:email-ex-1.png?nolink&600|}} * ** Example 2.** \\ {{dpi:opt_cgnat:cgnat_faq:email-ex-2.png?nolink&600|}} More can be found useful in the email: - Reason of abuse \\ {{dpi:opt_cgnat:cgnat_faq:email-abuse-type.png?nolink&600|}} - History of abuse (if the activity was repeated) \\ {{dpi:opt_cgnat:cgnat_faq:email-abuse-logs.png?nolink&600|}} This can help you understand the scope of the problem and identify similar problems on your network. ====Step 2. Looking for subscriber activity in the GUI==== The task is to determine from the logs which subscriber behind the NAT-pool (source IP) specified in the letter was accessing the destination IP at that time. Before you start the search it is worth checking two facts: - The NAT pool in question is set to CG-NAT in Stingray. \\ {{dpi:opt_cgnat:cgnat_faq:nat_pool.png?direct&600|}} - The NAT log storage time captures the time of activity. View and configure \\ {{dpi:opt_cgnat:cgnat_faq:nat_log_lifetime.png?direct&600|}} Then in the GUI you need to open the section NAT flow, select a period, enter the source and destination IP. \\ * {{dpi:opt_cgnat:cgnat_faq:nat_flow_src_dest_1.png?direct&600|}} * {{dpi:opt_cgnat:cgnat_faq:nat_flow_src_dest_2.png?direct&600|}} Perform the necessary actions with the found subscriber to prevent further abuse.