Working with NAT Flow. How to find a subscriber after NAT [Документация VAS Experts]

Working with NAT Flow. How to find a subscriber after NAT

The following components are required for this functionality to work: QoE Stor Module и SSG DPI control interface.
Description for configuring NAT in QoE: NAT Flow Configuration

Example of working with abuse letters

This tutorial is how to find the specific subscriber who is reported abuse.
The abuse email usually contains a global address from a NAT pool. We need to understand which of the subscribers went to the resource where the virus activity was detected at a known time behind this NAT-pool.
We need to perform two steps — find the necessary information in the abuse email and use it to identify the subscriber in the GUI of the Stingray.

Step 1. Research the email

  1. The address from your NAT pool (source IP).
  2. Address of the attacked resource (destination IP)
  3. Activity time on the attacked resource (considering the time zones!)
  • Example 1.
  • Example 2.

More can be found useful in the email:

  1. Reason of abuse
  2. History of abuse (if the activity was repeated)

This can help you understand the scope of the problem and identify similar problems on your network.

Step 2. Looking for subscriber activity in the GUI

The task is to determine from the logs which subscriber behind the NAT-pool (source IP) specified in the letter was accessing the destination IP at that time.

Before you start the search it is worth checking two facts:

  1. The NAT pool in question is set to CG-NAT in Stingray.
  2. The NAT log storage time captures the time of activity. View and configure

Then in the GUI you need to open the section NAT flow, select a period, enter the source and destination IP.

Perform the necessary actions with the found subscriber to prevent further abuse.