Fortinet Document Library

Version:

Version:

Version:


Table of Contents

Hyperscale Firewall Guide

Download PDF
Copy Link

CGN resource allocation hyperscale firewall policies

Use the following options to configure an IPv4 or NAT64 CGN resource allocation hyperscale firewall policy:

config firewall {hyperscale-policy | hyperscale-policy64}

edit <id>

set action accept

set nat enable

set ippool enable

set poolname {<cgn-ippool> | <cgn-ippool-group>}...

set cgn-session-quota <quota>

set cgn-resource-quota <quota>

set cgn-eif {enable| disable}

set cgn-eim {enable| disable}

set cgn-log-server-grp <group-name>

end

poolname select one or more CGN IP pools or IP pool groups to apply CGN resource allocation IP pools to the firewall policy. To be able to add IP pools, nat and ippool must be enabled.

cgn-session-quota limit the number of concurrent sessions available for a client IP address (effectively the number of sessions per user). The range is 0 to 16777215 (the default). The default setting effectively means there is no quota.

cgn-resource-quota set a quota for the number port blocks available for a client IP address (effectively the number of port blocks per client IP address). Only applies if the firewall policy includes CGN IP pools with port block sizes. The range is 1 to 16 and the default is 16.

Note

If the config system npu hash-config option is set to src-dst-ip, you need to perform the following calculation to effectively set the cgn-session-quota and cgn-resource-quota. If the config system npu hash-config option is set to src-ip the following calculation does not apply.

If the config system npu hash-config option is set to src-dst-ip, when you set the resource quota, the number of port blocks available is divided evenly between each NP7 processor. If the FortiGate has multiple NP7 processors, only a portion of the resource quota is available to each NP7 and traffic from a given client IP address would all be processed by the same NP7. So to make sure each NP7 has access to the intended number of port blocks, you should adjust the cgn-session-quota to limit the number of sessions available for each client IP address. The intended resource quota should be multiplied by the number of NP7 processors that the FortiGate has to find the value to set as the session quota.

For example, the FortiGate-4200F has four NP7 processors. If you want each client IP address to have a resource quota of 2 port blocks, you should set cgn-session-quota using the following calculation:

<number of NP7 processors> x <intended cgn-resource-quota> = <cgn-session-quota>

For the FortiGate-4200F the calculation would be:

4 x 2 = 8

For a FortiGate-4200F to impose a resource quota of 2 port blocks, set cgn-session-quota to 8.

The FortiGate-4400F has six NP7 processors. If you want each client IP address to have a resource quota of 3 port blocks, you should set cgn-session-quota using the following calculation:

6 x 3 = 18

For a FortiGate-4200F to impose a resource quota of 3 port blocks, set cgn-session-quota to 18.

cgn-eif enable or disable Endpoint Independent Filtering (EIF). Disabled by default. if another server attempts to connect to a public IP and port which is used by an existing session, when EIF is enabled, the NP7 will create the session and reuse the mapping for the existing session. When EIF is not enabled, the server attempts to connect to the public IP and port will fail. This practice is recommended in RFC 4787 for client applications that require this behavior.

For example, Client-A has an existing session, {A.a, B.b, S.s}. When another server S1.s1 attempts to connect to public address and port B.b, when EIF is enabled, the NP7 creates a new session as {A.a, B.b, S1.s1}. When EIF is disabled, such connection will be checked in full-policy and probably dropped.

cgn-eim enable or disable Endpoint Independent Mapping (EIM). If a client uses an existing source port to connect to a different server, the NP7 reuses the existing mapping to create new sessions. This practice is more compatible for some applications to work with NAT devices, also it is more efficient. A new resource allocation counts towards the resource quota. If EIM is triggered, the new session does not cause new resource allocation and the new session only counts towards the session quota.

For example, Client-A has an existing session, represented as {A.a, B.b, S.s}, where A.a is the client IP and port, B.b is the mapped IP and port, and S.s is the server IP and port. When EIM is enabled, if the client uses A.a to connect to another server S1.s1, the NP7 reuses the public IP and port at B.b to create session that can be represented as {A.a, B.b, S1.s1}.

Note
About hairpinning

You can use EIF to support hairpinning. A hairpinning configuration allows a client to communicate with a server that is on the same network as the client, but the communication takes place through the FortiGate because the client only knows the external address of the server.

To set up a hyperscale firewall hairpinning configuration, you need to enable EIF in the firewall policy. As well, the IP pool added to the policy should include addresses that overlap with the firewall policy destination address. In many cases you can do this by setting the firewall policy destination address to all.

If the policy uses a specific address or address range for the destination address, then this destination address and the IP pool address range should have some overlap.

cgn-log-server-grp the name of the hardware logging server group. See Hardware logging.

From the GUI

Use the following steps to configure CGNAT firewall policies from the GUI:

  1. Go to Policy & Objects and select IPv4 Hyperscale Policy or NAT46 Hyperscale Policy.
  2. Configure source and destination interfaces and addresses and other standard firewall options as required.
  3. If you are configuring an IPv4 or NAT64 hyperscale firewall policy you can also configure the following CGN resource allocation options:
  • IP Pool Configuration select one or more CGN resource allocation IP pools or CGN resource allocation IP pool groups. All of the IP pools or IP pool groups must have the same mode and their source IP addresses must not overlap.
  • CGN Session Quota to limit the concurrent sessions available for a source IP address.
  • CGN Resource Quota to limit the number of port blocks assigned to a source IP address.
  • Enable or disable Endpoint Independent Filtering.
  • Enable or disable Endpoint Independent Mapping.

  • Optionally enable hardware logging by selecting Log Hyperscale SPU Offload Traffic and selecting a Log Server Group.

  • CGN resource allocation hyperscale firewall policies

    Use the following options to configure an IPv4 or NAT64 CGN resource allocation hyperscale firewall policy:

    config firewall {hyperscale-policy | hyperscale-policy64}

    edit <id>

    set action accept

    set nat enable

    set ippool enable

    set poolname {<cgn-ippool> | <cgn-ippool-group>}...

    set cgn-session-quota <quota>

    set cgn-resource-quota <quota>

    set cgn-eif {enable| disable}

    set cgn-eim {enable| disable}

    set cgn-log-server-grp <group-name>

    end

    poolname select one or more CGN IP pools or IP pool groups to apply CGN resource allocation IP pools to the firewall policy. To be able to add IP pools, nat and ippool must be enabled.

    cgn-session-quota limit the number of concurrent sessions available for a client IP address (effectively the number of sessions per user). The range is 0 to 16777215 (the default). The default setting effectively means there is no quota.

    cgn-resource-quota set a quota for the number port blocks available for a client IP address (effectively the number of port blocks per client IP address). Only applies if the firewall policy includes CGN IP pools with port block sizes. The range is 1 to 16 and the default is 16.

    Note

    If the config system npu hash-config option is set to src-dst-ip, you need to perform the following calculation to effectively set the cgn-session-quota and cgn-resource-quota. If the config system npu hash-config option is set to src-ip the following calculation does not apply.

    If the config system npu hash-config option is set to src-dst-ip, when you set the resource quota, the number of port blocks available is divided evenly between each NP7 processor. If the FortiGate has multiple NP7 processors, only a portion of the resource quota is available to each NP7 and traffic from a given client IP address would all be processed by the same NP7. So to make sure each NP7 has access to the intended number of port blocks, you should adjust the cgn-session-quota to limit the number of sessions available for each client IP address. The intended resource quota should be multiplied by the number of NP7 processors that the FortiGate has to find the value to set as the session quota.

    For example, the FortiGate-4200F has four NP7 processors. If you want each client IP address to have a resource quota of 2 port blocks, you should set cgn-session-quota using the following calculation:

    <number of NP7 processors> x <intended cgn-resource-quota> = <cgn-session-quota>

    For the FortiGate-4200F the calculation would be:

    4 x 2 = 8

    For a FortiGate-4200F to impose a resource quota of 2 port blocks, set cgn-session-quota to 8.

    The FortiGate-4400F has six NP7 processors. If you want each client IP address to have a resource quota of 3 port blocks, you should set cgn-session-quota using the following calculation:

    6 x 3 = 18

    For a FortiGate-4200F to impose a resource quota of 3 port blocks, set cgn-session-quota to 18.

    cgn-eif enable or disable Endpoint Independent Filtering (EIF). Disabled by default. if another server attempts to connect to a public IP and port which is used by an existing session, when EIF is enabled, the NP7 will create the session and reuse the mapping for the existing session. When EIF is not enabled, the server attempts to connect to the public IP and port will fail. This practice is recommended in RFC 4787 for client applications that require this behavior.

    For example, Client-A has an existing session, {A.a, B.b, S.s}. When another server S1.s1 attempts to connect to public address and port B.b, when EIF is enabled, the NP7 creates a new session as {A.a, B.b, S1.s1}. When EIF is disabled, such connection will be checked in full-policy and probably dropped.

    cgn-eim enable or disable Endpoint Independent Mapping (EIM). If a client uses an existing source port to connect to a different server, the NP7 reuses the existing mapping to create new sessions. This practice is more compatible for some applications to work with NAT devices, also it is more efficient. A new resource allocation counts towards the resource quota. If EIM is triggered, the new session does not cause new resource allocation and the new session only counts towards the session quota.

    For example, Client-A has an existing session, represented as {A.a, B.b, S.s}, where A.a is the client IP and port, B.b is the mapped IP and port, and S.s is the server IP and port. When EIM is enabled, if the client uses A.a to connect to another server S1.s1, the NP7 reuses the public IP and port at B.b to create session that can be represented as {A.a, B.b, S1.s1}.

    Note
    About hairpinning

    You can use EIF to support hairpinning. A hairpinning configuration allows a client to communicate with a server that is on the same network as the client, but the communication takes place through the FortiGate because the client only knows the external address of the server.

    To set up a hyperscale firewall hairpinning configuration, you need to enable EIF in the firewall policy. As well, the IP pool added to the policy should include addresses that overlap with the firewall policy destination address. In many cases you can do this by setting the firewall policy destination address to all.

    If the policy uses a specific address or address range for the destination address, then this destination address and the IP pool address range should have some overlap.

    cgn-log-server-grp the name of the hardware logging server group. See Hardware logging.

    From the GUI

    Use the following steps to configure CGNAT firewall policies from the GUI:

    1. Go to Policy & Objects and select IPv4 Hyperscale Policy or NAT46 Hyperscale Policy.
    2. Configure source and destination interfaces and addresses and other standard firewall options as required.
    3. If you are configuring an IPv4 or NAT64 hyperscale firewall policy you can also configure the following CGN resource allocation options:
    • IP Pool Configuration select one or more CGN resource allocation IP pools or CGN resource allocation IP pool groups. All of the IP pools or IP pool groups must have the same mode and their source IP addresses must not overlap.
    • CGN Session Quota to limit the concurrent sessions available for a source IP address.
    • CGN Resource Quota to limit the number of port blocks assigned to a source IP address.
    • Enable or disable Endpoint Independent Filtering.
    • Enable or disable Endpoint Independent Mapping.

  • Optionally enable hardware logging by selecting Log Hyperscale SPU Offload Traffic and selecting a Log Server Group.