Fortinet black logo

Hyperscale Firewall Guide

Overload with port-block-allocation CGN IP pool

Copy Link
Copy Doc ID 412d132a-249e-11ed-9eba-fa163e15d75b:847369
Download PDF

Overload with port-block-allocation CGN IP pool

On the GUI go to Policy & Objects > IP Pools > Create New > IP Pool. Set Type to CGN Resource Allocation and set Mode to Overload (Port Block Allocation).

On the CLI:

config firewall ippool

edit <name>

set type cgn-resource-allocation

set startip <ip>

set endip <ip>

set arp-reply {disable | enable}

set arp-intf <interface-name>

set cgn-spa disable

set cgn-overload enable

set cgn-block-size <number-of-ports>

set cgn-port-start <port>

set cgn-port-end <port>

set utilization-alarm-raise <usage-threshold>

set utilization-alarm-clear <usage-threshold>

end

Overload with Port block allocation (PBA) reduces CGNAT logging overhead by creating a log entry only when a client first establishes a network connection and is assigned a port block. The number of log entries are reduced because a log entry is created when the port block is assigned, and not for each client connection. Overload causes FortiOS to re-use ports within a block, allowing for more possible connections before running out of ports.

When all of the client sessions have ended, FortiOS releases the port block and writes another log message. You can also configure logging to only write a log message when the port block is released. See Configuring hardware logging.

In general, because each customer environment is different, different configurations may be required to achieve optimal performance.

PBA allocates a contiguous set of source translation endpoints called port blocks. These port blocks are associated to a client by one IP address and a block of ports. Port blocks are allocated on-demand and have a fixed size.

Choose these settings carefully to adequately and efficiently service clients that may require a different number of simultaneous connections. Careful analysis and testing is required to find optimal values for the traffic conditions on your network.

You can define an overload port-block allocation IP pool by configuring the following:

  • External IP address range (start-ip and end-ip). Specifies the set of translation IP addresses available in the pool as a collection of IP prefixes with their prefix lengths. These are typically public-side addresses.
  • Start port (cgn-port-start). The lowest port number in the port range. The default value is 5117.
  • End port (cgn-port-end). The highest possible port number in the port range. The default value is 65530.
  • Port block size (cgn-block-size). The number of ports allocated in a block. The default value is 128. Use a smaller port block size to conserve available ports.
  • Enable or disable ARP reply (arp-reply) to reply to ARP requests for addresses in the external address range.
  • Optionally specify the interface (arp-intf) that replies to ARP requests.
  • Generate an SNMP trap when the usage of the resources defined by an IP pool exceeds a threshold (utilization-alarm-raise). The range is 50 to 100 per cent.
  • Generate an SNMP trap when the usage of the resources defined by an IP pool falls below a threshold (utilization-alarm-clear). The range is 40 to 100 per cent.

Overload with port-block-allocation CGN IP pool

On the GUI go to Policy & Objects > IP Pools > Create New > IP Pool. Set Type to CGN Resource Allocation and set Mode to Overload (Port Block Allocation).

On the CLI:

config firewall ippool

edit <name>

set type cgn-resource-allocation

set startip <ip>

set endip <ip>

set arp-reply {disable | enable}

set arp-intf <interface-name>

set cgn-spa disable

set cgn-overload enable

set cgn-block-size <number-of-ports>

set cgn-port-start <port>

set cgn-port-end <port>

set utilization-alarm-raise <usage-threshold>

set utilization-alarm-clear <usage-threshold>

end

Overload with Port block allocation (PBA) reduces CGNAT logging overhead by creating a log entry only when a client first establishes a network connection and is assigned a port block. The number of log entries are reduced because a log entry is created when the port block is assigned, and not for each client connection. Overload causes FortiOS to re-use ports within a block, allowing for more possible connections before running out of ports.

When all of the client sessions have ended, FortiOS releases the port block and writes another log message. You can also configure logging to only write a log message when the port block is released. See Configuring hardware logging.

In general, because each customer environment is different, different configurations may be required to achieve optimal performance.

PBA allocates a contiguous set of source translation endpoints called port blocks. These port blocks are associated to a client by one IP address and a block of ports. Port blocks are allocated on-demand and have a fixed size.

Choose these settings carefully to adequately and efficiently service clients that may require a different number of simultaneous connections. Careful analysis and testing is required to find optimal values for the traffic conditions on your network.

You can define an overload port-block allocation IP pool by configuring the following:

  • External IP address range (start-ip and end-ip). Specifies the set of translation IP addresses available in the pool as a collection of IP prefixes with their prefix lengths. These are typically public-side addresses.
  • Start port (cgn-port-start). The lowest port number in the port range. The default value is 5117.
  • End port (cgn-port-end). The highest possible port number in the port range. The default value is 65530.
  • Port block size (cgn-block-size). The number of ports allocated in a block. The default value is 128. Use a smaller port block size to conserve available ports.
  • Enable or disable ARP reply (arp-reply) to reply to ARP requests for addresses in the external address range.
  • Optionally specify the interface (arp-intf) that replies to ARP requests.
  • Generate an SNMP trap when the usage of the resources defined by an IP pool exceeds a threshold (utilization-alarm-raise). The range is 50 to 100 per cent.
  • Generate an SNMP trap when the usage of the resources defined by an IP pool falls below a threshold (utilization-alarm-clear). The range is 40 to 100 per cent.