Fortinet white logo
Fortinet white logo

Hyperscale Firewall Guide

CGN resource allocation IP pools

CGN resource allocation IP pools

CGN resource allocation IP pools are variations on overload IP pools that take advantage of NP7 hardware acceleration to apply Carrier Grade NAT (CGN) features to IPv4 or NAT64 hyperscale firewall policies. CGN resource allocation IP pools manage the allocation of IPv4 source ports, addresses, and system resources used for logging.

You create CGN resource allocation IP pools from the GUI by going to Policy & Objects > IP Pools > Create New > IP Pool. Set Type to CGN Resource Allocation, select a Mode (or type), and edit settings for the selected mode.

From the CLI, you create CGN resource allocation IP pools by creating an IP pool and setting the type to cgn-resource-allocation. You can then enable or disable cgn-spa, cgn-overload, and cgn-fixedalloc to select a CGN IP pool type and then edit settings for the selected type.

config firewall ippool

edit <name>

set type cgn-resource-allocation

set startip <ip>

set endip <ip>

set arp-reply {disable | enable}

set arp-intf <interface-name>

set cgn-spa {disable | enable}

set cgn-overload {disable | enable}

set cgn-fixedalloc {disable | enable}

set cgn-block-size <number-of-ports>

set cgn-client-startip <ip>

set cgn-client-endip <ip>

set cgn-port-start <port>

set cgn-port-end <port>

set utilization-alarm-raise <usage-threshold>

set utilization-alarm-clear <usage-threshold>

end

Five different types or modes of CGN resource allocation IP pool modes are available. The following table summarizes each type and the following sections describe the GUI and CLI configuration for each type.

IP pool type (mode)

GUI option

CLI options

Supported CGNAT Features

Port Block Allocation (PBA)

Port Block Allocation

set cgn-spa disable

set cgn-overload disable

set cgn-fixedalloc disable

  • Dynamic IP consistency
  • Port block allocation
  • No port reuse
  • Deterministic NAT

Overload with port block allocation (PBA, overload)

Overload (Port Block Allocation)

set cgn-spa disable

set cgn-overload enable

  • Dynamic IP consistency
  • Port block allocation
  • Port reuse within block
  • Deterministic NAT

Single port allocation (SPA)

Single Port Allocation

set cgn-spa enable

set cgn-overload disable

  • Dynamic IP consistency
  • No port reuse
  • Deterministic NAT

Overload with single port allocation (SPA, overload)

Overload (Single Port Allocation)

set cgn-spa enable

set cgn-overload enable

  • Dynamic IP consistency
  • Port reuse within the entire port range
  • Deterministic NAT

Fixed allocation, (also called Port block allocation with fixed NAT or Deterministic NAT) (PBA, fixed NAT)

Fixed-allocation

set cgn-spa disable

set cgn-fixedalloc enable

  • Static IP consistency
  • Static port block allocation
  • No port reuse
  • Deterministic NAT

CGN resource allocation IP pools

CGN resource allocation IP pools

CGN resource allocation IP pools are variations on overload IP pools that take advantage of NP7 hardware acceleration to apply Carrier Grade NAT (CGN) features to IPv4 or NAT64 hyperscale firewall policies. CGN resource allocation IP pools manage the allocation of IPv4 source ports, addresses, and system resources used for logging.

You create CGN resource allocation IP pools from the GUI by going to Policy & Objects > IP Pools > Create New > IP Pool. Set Type to CGN Resource Allocation, select a Mode (or type), and edit settings for the selected mode.

From the CLI, you create CGN resource allocation IP pools by creating an IP pool and setting the type to cgn-resource-allocation. You can then enable or disable cgn-spa, cgn-overload, and cgn-fixedalloc to select a CGN IP pool type and then edit settings for the selected type.

config firewall ippool

edit <name>

set type cgn-resource-allocation

set startip <ip>

set endip <ip>

set arp-reply {disable | enable}

set arp-intf <interface-name>

set cgn-spa {disable | enable}

set cgn-overload {disable | enable}

set cgn-fixedalloc {disable | enable}

set cgn-block-size <number-of-ports>

set cgn-client-startip <ip>

set cgn-client-endip <ip>

set cgn-port-start <port>

set cgn-port-end <port>

set utilization-alarm-raise <usage-threshold>

set utilization-alarm-clear <usage-threshold>

end

Five different types or modes of CGN resource allocation IP pool modes are available. The following table summarizes each type and the following sections describe the GUI and CLI configuration for each type.

IP pool type (mode)

GUI option

CLI options

Supported CGNAT Features

Port Block Allocation (PBA)

Port Block Allocation

set cgn-spa disable

set cgn-overload disable

set cgn-fixedalloc disable

  • Dynamic IP consistency
  • Port block allocation
  • No port reuse
  • Deterministic NAT

Overload with port block allocation (PBA, overload)

Overload (Port Block Allocation)

set cgn-spa disable

set cgn-overload enable

  • Dynamic IP consistency
  • Port block allocation
  • Port reuse within block
  • Deterministic NAT

Single port allocation (SPA)

Single Port Allocation

set cgn-spa enable

set cgn-overload disable

  • Dynamic IP consistency
  • No port reuse
  • Deterministic NAT

Overload with single port allocation (SPA, overload)

Overload (Single Port Allocation)

set cgn-spa enable

set cgn-overload enable

  • Dynamic IP consistency
  • Port reuse within the entire port range
  • Deterministic NAT

Fixed allocation, (also called Port block allocation with fixed NAT or Deterministic NAT) (PBA, fixed NAT)

Fixed-allocation

set cgn-spa disable

set cgn-fixedalloc enable

  • Static IP consistency
  • Static port block allocation
  • No port reuse
  • Deterministic NAT