Fortinet Document Library

Version:


Table of Contents

Cookbook

6.2.0
Download PDF
Copy Link

Dynamic SNAT

Dynamic SNAT maps the private IP addresses to the first available public address from a pool of addresses. In the FortiGate firewall, this can be done by using IP pools. IP pools is a mechanism that allows sessions leaving the FortiGate firewall to use NAT. An IP pool defines a single IP address or a range of IP addresses to be used as the source address for the duration of the session. These assigned addresses are used instead of the IP address assigned to that FortiGate interface.

IP pool types

FortiGate uses four types of IPv4 IP pools. This recipe focuses on some of the differences between them.

Overload

This type of IP pool is similar to static SNAT mode. We just need to define an external IP range, This range can contain one or multiple IP addresses, When there is only one IP address, it almost as same as static SNAT – use Outgoing Interface address. When it contains multiple IP addresses, It is equivalent to an extended mode of static SNAT.

For instance, if we define an overload type IP pool with two external IP addresses (172.16.200.1—172.16.200.2), since there are 60,416 available port numbers per IP, this IP pool can handle 60,416*2 internal IP addresses. See example below.

One-to-one

This type of IP pool means that the internal IP address and the external (translated) IP address match one-to-one. The port address translation (PAT) is disabled when using this type of IP pool. For example, if we define a one-to-one type IP pool with two external IP addresses (172.16.200.1-172.16.200.2), this IP pool only can handle two internal IP addresses.

Fixed port range

For the overload and one-to-one IP pool types, we do not need to define the internal IP range. For the fixed port range type of IP pool, we can define both internal IP range and external IP range. Since each external IP address and the number of available port numbers is a specific number, if the number of internal IP addresses is also determined, we can calculate the port range for each address translation combination. So we call this type fixed port range. This type of IP pool is a type of port address translation (PAT).

For instance, if we define one external IP address (172.16.200.1) and ten internal IP addresses (10.1.100.1-10.1.100.10), we have translation IP+Port combination like following table:

Port block allocation

This type of IP pool is also a type of port address translation (PAT). It gives users a more flexible way to control the way external IPs and ports are allocated. Users need to define Block Size/Block Per User and external IP range. Block Size means how many ports each Block contains. Block per User means how many blocks each user (internal IP) can use.

Following is a simple example:

External IP Range: 172.16.200.1—172.16.200.1

Block Size: 128

Block Per User: 8

Result:

Total-PBAs: 472 (60416/128)

Maximum ports can be used per User (Internal IP Address): 1024 (128*8)

How many Internal IP can be handled: 59 (60416/1024 or 472/8)

Sample configuration

To configure Overload IP pool using the GUI:
  1. In Policy & Objects > IP Pools, click Create New.
  2. Select IPv4 Pool and then select Overload.

To configure Overload IP pool using the CLI:
config firewall ippool
    edit "Overload-ippool"
        set startip 172.16.200.1
        set endip 172.16.200.1
    next
end
To configure One-to-One IP pool using the GUI:
  1. In Policy & Objects > IP Pools, click Create New.
  2. Select IPv4 Pool and then select One-to-One.

To configure One-to-One IP pool using the CLI:
config firewall ippool
    edit "One-to-One-ippool"
        set type one-to-one
        set startip 172.16.200.1
        set endip 172.16.200.2
    next
end
To configure Fixed Port Range IP pool using the GUI:
  1. In Policy & Objects > IP Pools, click Create New.
  2. Select IPv4 Pool and then select Fixed Port Range.

To configure Fixed Port Range IP pool using the CLI:
config firewall ippool
    edit "FPR-ippool"
        set type fixed-port-range
        set startip 172.16.200.1
        set endip 172.16.200.1
        set source-startip 10.1.100.1
        set source-endip 10.1.100.10
   next
end
To configure Port Block Allocation IP pool using the GUI:
  1. In Policy & Objects > IP Pools, click Create New.
  2. Select IPv4 Pool and then select Port Block Allocation.

To configure Port Block Allocation IP pool using the CLI:
config firewall ippool
      edit PBA-ippool
          set type port-block-allocation
          set startip 172.16.200.1
          set endip 172.16.200.1
          set block-size 128
          set num-blocks-per-user 8
     next
end

Dynamic SNAT

Dynamic SNAT maps the private IP addresses to the first available public address from a pool of addresses. In the FortiGate firewall, this can be done by using IP pools. IP pools is a mechanism that allows sessions leaving the FortiGate firewall to use NAT. An IP pool defines a single IP address or a range of IP addresses to be used as the source address for the duration of the session. These assigned addresses are used instead of the IP address assigned to that FortiGate interface.

IP pool types

FortiGate uses four types of IPv4 IP pools. This recipe focuses on some of the differences between them.

Overload

This type of IP pool is similar to static SNAT mode. We just need to define an external IP range, This range can contain one or multiple IP addresses, When there is only one IP address, it almost as same as static SNAT – use Outgoing Interface address. When it contains multiple IP addresses, It is equivalent to an extended mode of static SNAT.

For instance, if we define an overload type IP pool with two external IP addresses (172.16.200.1—172.16.200.2), since there are 60,416 available port numbers per IP, this IP pool can handle 60,416*2 internal IP addresses. See example below.

One-to-one

This type of IP pool means that the internal IP address and the external (translated) IP address match one-to-one. The port address translation (PAT) is disabled when using this type of IP pool. For example, if we define a one-to-one type IP pool with two external IP addresses (172.16.200.1-172.16.200.2), this IP pool only can handle two internal IP addresses.

Fixed port range

For the overload and one-to-one IP pool types, we do not need to define the internal IP range. For the fixed port range type of IP pool, we can define both internal IP range and external IP range. Since each external IP address and the number of available port numbers is a specific number, if the number of internal IP addresses is also determined, we can calculate the port range for each address translation combination. So we call this type fixed port range. This type of IP pool is a type of port address translation (PAT).

For instance, if we define one external IP address (172.16.200.1) and ten internal IP addresses (10.1.100.1-10.1.100.10), we have translation IP+Port combination like following table:

Port block allocation

This type of IP pool is also a type of port address translation (PAT). It gives users a more flexible way to control the way external IPs and ports are allocated. Users need to define Block Size/Block Per User and external IP range. Block Size means how many ports each Block contains. Block per User means how many blocks each user (internal IP) can use.

Following is a simple example:

External IP Range: 172.16.200.1—172.16.200.1

Block Size: 128

Block Per User: 8

Result:

Total-PBAs: 472 (60416/128)

Maximum ports can be used per User (Internal IP Address): 1024 (128*8)

How many Internal IP can be handled: 59 (60416/1024 or 472/8)

Sample configuration

To configure Overload IP pool using the GUI:
  1. In Policy & Objects > IP Pools, click Create New.
  2. Select IPv4 Pool and then select Overload.

To configure Overload IP pool using the CLI:
config firewall ippool
    edit "Overload-ippool"
        set startip 172.16.200.1
        set endip 172.16.200.1
    next
end
To configure One-to-One IP pool using the GUI:
  1. In Policy & Objects > IP Pools, click Create New.
  2. Select IPv4 Pool and then select One-to-One.

To configure One-to-One IP pool using the CLI:
config firewall ippool
    edit "One-to-One-ippool"
        set type one-to-one
        set startip 172.16.200.1
        set endip 172.16.200.2
    next
end
To configure Fixed Port Range IP pool using the GUI:
  1. In Policy & Objects > IP Pools, click Create New.
  2. Select IPv4 Pool and then select Fixed Port Range.

To configure Fixed Port Range IP pool using the CLI:
config firewall ippool
    edit "FPR-ippool"
        set type fixed-port-range
        set startip 172.16.200.1
        set endip 172.16.200.1
        set source-startip 10.1.100.1
        set source-endip 10.1.100.10
   next
end
To configure Port Block Allocation IP pool using the GUI:
  1. In Policy & Objects > IP Pools, click Create New.
  2. Select IPv4 Pool and then select Port Block Allocation.

To configure Port Block Allocation IP pool using the CLI:
config firewall ippool
      edit PBA-ippool
          set type port-block-allocation
          set startip 172.16.200.1
          set endip 172.16.200.1
          set block-size 128
          set num-blocks-per-user 8
     next
end