Fortinet black logo

Hyperscale Firewall Guide

Port block allocation CGN IP pool

Port block allocation CGN IP pool

This is the default CGNAT IP pool configuration.

On the GUI go to Policy & Objects > IP Pools > Create New > IP Pool. Set Type to CGN Resource Allocation and set Mode to Port Block Allocation.

On the CLI:

config firewall ippool

edit <name>

set type cgn-resource-allocation

set startip <ip>

set endip <ip>

set arp-reply {disable | enable}

set arp-intf <interface-name>

set cgn-spa disable

set cgn-overload disable

set cgn-fixedalloc disable

set cgn-block-size <number-of-ports>

set cgn-port-start <port>

set cgn-port-end <port>

set utilization-alarm-raise <usage-threshold>

set utilization-alarm-clear <usage-threshold>

end

Port block allocation (PBA) reduces CGNAT logging overhead by creating a log entry only when a client first establishes a network connection and is assigned a port block. The number of log entries are reduced because a log entry is created when the port block is assigned, and not for each client connection.

When all of the client sessions have ended, FortiOS releases the port block and writes another log message. You can also configure logging to only write a log message when the port block is released. See Configuring hardware logging.

In general, because each customer environment is different, different configurations may be required to achieve optimal performance.

PBA allocates a contiguous set of source translation endpoints called port blocks. These port blocks are associated to a client by one IP address and a block of ports. Port blocks are allocated on-demand and have a fixed size.

Choose these settings carefully to adequately and efficiently service clients that may require a different number of simultaneous connections. Careful analysis and testing is required to find optimal values for the traffic conditions on your network.

You can define a port-block allocation IP pool by configuring the following:

  • External IP address range (start-ip and end-ip). Specifies the set of translation IP addresses available in the pool as a collection of IP prefixes with their prefix lengths. These are typically public-side addresses.
  • Start port (cgn-port-start). The lowest port number in the port range. The default value is 5117.
  • End port (cgn-port-end). The highest possible port number in the port range. The default value is 65530.
  • Port block size (cgn-block-size). The number of ports allocated in a block. The default value is 128. Use a smaller port block size to conserve available ports.
  • Enable or disable ARP reply (arp-reply) to reply to ARP requests for addresses in the external address range.
  • Optionally specify the interface (arp-intf) that replies to ARP requests.
  • Generate an SNMP trap when the usage of the resources defined by an IP pool exceeds a threshold (utilization-alarm-raise). The range is 50 to 100 per cent.

  • Generate an SNMP trap when the usage of the resources defined by an IP pool falls below a threshold (utilization-alarm-clear). The range is 40 to 100 per cent.

You can also configure PBA with overload. Overload causes FortiOS to re-use ports within a block, allowing for more possible connections before running out of ports. To configure PBA with overload, see Overload with port-block-allocation CGN IP pool.

Port block allocation CGN IP pool

This is the default CGNAT IP pool configuration.

On the GUI go to Policy & Objects > IP Pools > Create New > IP Pool. Set Type to CGN Resource Allocation and set Mode to Port Block Allocation.

On the CLI:

config firewall ippool

edit <name>

set type cgn-resource-allocation

set startip <ip>

set endip <ip>

set arp-reply {disable | enable}

set arp-intf <interface-name>

set cgn-spa disable

set cgn-overload disable

set cgn-fixedalloc disable

set cgn-block-size <number-of-ports>

set cgn-port-start <port>

set cgn-port-end <port>

set utilization-alarm-raise <usage-threshold>

set utilization-alarm-clear <usage-threshold>

end

Port block allocation (PBA) reduces CGNAT logging overhead by creating a log entry only when a client first establishes a network connection and is assigned a port block. The number of log entries are reduced because a log entry is created when the port block is assigned, and not for each client connection.

When all of the client sessions have ended, FortiOS releases the port block and writes another log message. You can also configure logging to only write a log message when the port block is released. See Configuring hardware logging.

In general, because each customer environment is different, different configurations may be required to achieve optimal performance.

PBA allocates a contiguous set of source translation endpoints called port blocks. These port blocks are associated to a client by one IP address and a block of ports. Port blocks are allocated on-demand and have a fixed size.

Choose these settings carefully to adequately and efficiently service clients that may require a different number of simultaneous connections. Careful analysis and testing is required to find optimal values for the traffic conditions on your network.

You can define a port-block allocation IP pool by configuring the following:

  • External IP address range (start-ip and end-ip). Specifies the set of translation IP addresses available in the pool as a collection of IP prefixes with their prefix lengths. These are typically public-side addresses.
  • Start port (cgn-port-start). The lowest port number in the port range. The default value is 5117.
  • End port (cgn-port-end). The highest possible port number in the port range. The default value is 65530.
  • Port block size (cgn-block-size). The number of ports allocated in a block. The default value is 128. Use a smaller port block size to conserve available ports.
  • Enable or disable ARP reply (arp-reply) to reply to ARP requests for addresses in the external address range.
  • Optionally specify the interface (arp-intf) that replies to ARP requests.
  • Generate an SNMP trap when the usage of the resources defined by an IP pool exceeds a threshold (utilization-alarm-raise). The range is 50 to 100 per cent.

  • Generate an SNMP trap when the usage of the resources defined by an IP pool falls below a threshold (utilization-alarm-clear). The range is 40 to 100 per cent.

You can also configure PBA with overload. Overload causes FortiOS to re-use ports within a block, allowing for more possible connections before running out of ports. To configure PBA with overload, see Overload with port-block-allocation CGN IP pool.