Fortinet black logo

Hyperscale Firewall Guide

Single port allocation CGN IP pool

Copy Link
Copy Doc ID d2d152b3-5935-11ed-96f0-fa163e15d75b:333835
Download PDF

Single port allocation CGN IP pool

On the GUI go to Policy & Objects > IP Pools > Create New > IP Pool. Set Type to CGN Resource Allocation and set Mode to Single Port Allocation.

On the CLI:

config firewall ippool

edit <name>

set type cgn-resource-allocation

set startip <ip>

set endip <ip>

set arp-reply {disable | enable}

set arp-intf <interface-name>

set cgn-spa enable

set cgn-overload disable

set cgn-port-start <port>

set cgn-port-end <port>

set utilization-alarm-raise <usage-threshold>

set utilization-alarm-clear <usage-threshold>

end

A single port allocation CGN resource allocation IP pool assigns single ports instead of ranges of ports. This type of CGN IP pool conserves ports by effectively reducing the port block size to 1. Since blocks of ports are not assigned to each client, this CGN IP Pool type works better for networks with large numbers of clients that start fewer individual sessions.

Since this is not an overload IP pool, ports are not re-used. Each client session gets a new port from the range of ports added to the IP pool that are available.

You can define a single port allocation IP pool by configuring the following:

  • External IP address range (start-ip and end-ip). Specifies the set of translation IP addresses available in the pool as a collection of IP prefixes with their prefix lengths. These are typically public-side addresses.
  • Start port (cgn-port-start). The lowest port number in the port range. The default value is 5117.
  • End port (cgn-port-end). The highest possible port number in the port range. The default value is 65530.
  • Enable or disable ARP reply (arp-reply) to reply to ARP requests for addresses in the external address range.
  • Optionally specify the interface (arp-intf) that replies to ARP requests.
  • Generate an SNMP trap when the usage of the resources defined by an IP pool exceeds a threshold (utilization-alarm-raise). The range is 50 to 100 per cent.
  • Generate an SNMP trap when the usage of the resources defined by an IP pool falls below a threshold (utilization-alarm-clear). The range is 40 to 100 per cent.

Single port allocation CGN IP pool

On the GUI go to Policy & Objects > IP Pools > Create New > IP Pool. Set Type to CGN Resource Allocation and set Mode to Single Port Allocation.

On the CLI:

config firewall ippool

edit <name>

set type cgn-resource-allocation

set startip <ip>

set endip <ip>

set arp-reply {disable | enable}

set arp-intf <interface-name>

set cgn-spa enable

set cgn-overload disable

set cgn-port-start <port>

set cgn-port-end <port>

set utilization-alarm-raise <usage-threshold>

set utilization-alarm-clear <usage-threshold>

end

A single port allocation CGN resource allocation IP pool assigns single ports instead of ranges of ports. This type of CGN IP pool conserves ports by effectively reducing the port block size to 1. Since blocks of ports are not assigned to each client, this CGN IP Pool type works better for networks with large numbers of clients that start fewer individual sessions.

Since this is not an overload IP pool, ports are not re-used. Each client session gets a new port from the range of ports added to the IP pool that are available.

You can define a single port allocation IP pool by configuring the following:

  • External IP address range (start-ip and end-ip). Specifies the set of translation IP addresses available in the pool as a collection of IP prefixes with their prefix lengths. These are typically public-side addresses.
  • Start port (cgn-port-start). The lowest port number in the port range. The default value is 5117.
  • End port (cgn-port-end). The highest possible port number in the port range. The default value is 65530.
  • Enable or disable ARP reply (arp-reply) to reply to ARP requests for addresses in the external address range.
  • Optionally specify the interface (arp-intf) that replies to ARP requests.
  • Generate an SNMP trap when the usage of the resources defined by an IP pool exceeds a threshold (utilization-alarm-raise). The range is 50 to 100 per cent.
  • Generate an SNMP trap when the usage of the resources defined by an IP pool falls below a threshold (utilization-alarm-clear). The range is 40 to 100 per cent.