Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Hyperscale Firewall Guide

    Home FortiGate / FortiOS 6.4.13 Hyperscale Firewall Guide
    6.4.13
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.6
    6.2.9
    6.2.7
    6.2.6

    How the NP7 hash-config affects CGNAT

    How the NP7 hash-config affects CGNAT

    In most cases Setting hash-config to 5-tuple distribution provides the best performance. However, CGNAT resource quotas are distributed differently depending on the hash-config.

    For example, you could use the following command to configure an IPv4 CGN resource allocation hyperscale firewall policy:

    config firewall policy

    edit <id>

    set action accept

    set dstaddr <address>

    set nat enable

    set ippool enable

    set poolname {<cgn-ippool> | <cgn-ippool-group>}...

    set cgn-session-quota <quota>

    set cgn-resource-quota <quota>

    set cgn-eif {enable| disable}

    set cgn-eim {enable| disable}

    set cgn-log-server-grp <group-name>

    end

    The cgn-resource-quota option sets a quota for the number port blocks available for a client IP address (effectively the number of port blocks per client IP address). When hash-config is set to src-ip, each NP7 processor has the same cgn-resource-quota and the quota is applied to all traffic from a given source address.

    When hash-config is set to 5-tuple, the number of blocks in the resource quota are divided evenly among each NP7 processor and only a portion of the resource quota is available on each NP7 processor. So to make sure each NP7 has access to the intended number of port blocks, you should adjust the cgn-session-quota to limit the number of sessions available for each client IP address. The intended resource quota should be multiplied by the number of NP7 processors that the FortiGate has to find the value to set as the session quota.

    For example, the FortiGate-4200F has four NP7 processors. If you want each client IP address to have a resource quota of 2 port blocks, you should set cgn-session-quota using the following calculation:

    <number of NP7 processors> x <intended cgn-resource-quota> = <cgn-session-quota>

    For the FortiGate-4200F the calculation would be:

    4 x 2 = 8

    For a FortiGate-4200F to impose a resource quota of 2 port blocks, set cgn-session-quota to 8.

    The FortiGate-4400F has six NP7 processors. If you want each client IP address to have a resource quota of 3 port blocks, you should set cgn-session-quota using the following calculation:

    6 x 3 = 18

    For a FortiGate-4200F to impose a resource quota of 3 port blocks, set cgn-session-quota to 18.

    On FortiGates with an odd number of NP7 processors, for example the FortiGate-3500F and 3501F, when hash-config is set to src-dst-ip, the number of blocks in the resource quota are divided evenly among each NP7 processor and only a portion of the resource quota is available on each NP7 processor. So to make sure each NP7 has access to the intended number of port blocks, you should adjust the cgn-session-quota to limit the number of sessions available for each client IP address. The intended resource quota should be multiplied by the number of NP7 processors that the FortiGate has to find the value to set as the session quota.

    For example, the FortiGate-3500F has three NP7 processors. If you want each client IP address to have a resource quota of 2 port blocks, you should set cgn-session-quota using the following calculation:

    <number of NP7 processors> x <intended cgn-resource-quota> = <cgn-session-quota>

    For the FortiGate-3500F the calculation would be:

    3 x 2 = 6

    Previous
    Next

    How the NP7 hash-config affects CGNAT

    How the NP7 hash-config affects CGNAT

    In most cases Setting hash-config to 5-tuple distribution provides the best performance. However, CGNAT resource quotas are distributed differently depending on the hash-config.

    For example, you could use the following command to configure an IPv4 CGN resource allocation hyperscale firewall policy:

    config firewall policy

    edit <id>

    set action accept

    set dstaddr <address>

    set nat enable

    set ippool enable

    set poolname {<cgn-ippool> | <cgn-ippool-group>}...

    set cgn-session-quota <quota>

    set cgn-resource-quota <quota>

    set cgn-eif {enable| disable}

    set cgn-eim {enable| disable}

    set cgn-log-server-grp <group-name>

    end

    The cgn-resource-quota option sets a quota for the number port blocks available for a client IP address (effectively the number of port blocks per client IP address). When hash-config is set to src-ip, each NP7 processor has the same cgn-resource-quota and the quota is applied to all traffic from a given source address.

    When hash-config is set to 5-tuple, the number of blocks in the resource quota are divided evenly among each NP7 processor and only a portion of the resource quota is available on each NP7 processor. So to make sure each NP7 has access to the intended number of port blocks, you should adjust the cgn-session-quota to limit the number of sessions available for each client IP address. The intended resource quota should be multiplied by the number of NP7 processors that the FortiGate has to find the value to set as the session quota.

    For example, the FortiGate-4200F has four NP7 processors. If you want each client IP address to have a resource quota of 2 port blocks, you should set cgn-session-quota using the following calculation:

    <number of NP7 processors> x <intended cgn-resource-quota> = <cgn-session-quota>

    For the FortiGate-4200F the calculation would be:

    4 x 2 = 8

    For a FortiGate-4200F to impose a resource quota of 2 port blocks, set cgn-session-quota to 8.

    The FortiGate-4400F has six NP7 processors. If you want each client IP address to have a resource quota of 3 port blocks, you should set cgn-session-quota using the following calculation:

    6 x 3 = 18

    For a FortiGate-4200F to impose a resource quota of 3 port blocks, set cgn-session-quota to 18.

    On FortiGates with an odd number of NP7 processors, for example the FortiGate-3500F and 3501F, when hash-config is set to src-dst-ip, the number of blocks in the resource quota are divided evenly among each NP7 processor and only a portion of the resource quota is available on each NP7 processor. So to make sure each NP7 has access to the intended number of port blocks, you should adjust the cgn-session-quota to limit the number of sessions available for each client IP address. The intended resource quota should be multiplied by the number of NP7 processors that the FortiGate has to find the value to set as the session quota.

    For example, the FortiGate-3500F has three NP7 processors. If you want each client IP address to have a resource quota of 2 port blocks, you should set cgn-session-quota using the following calculation:

    <number of NP7 processors> x <intended cgn-resource-quota> = <cgn-session-quota>

    For the FortiGate-3500F the calculation would be:

    3 x 2 = 6

    Previous
    Next