Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Hyperscale Firewall Guide

    Home FortiGate / FortiOS 7.0.10 Hyperscale Firewall Guide
    7.0.10
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.6
    6.2.9
    6.2.7
    6.2.6

    Fixed allocation CGN IP pool

    Fixed allocation CGN IP pool

    On the GUI go to Policy & Objects > IP Pools > Create New > IP Pool. Set IP Pool Type to IPv4 IP Pool, set Type to CGN Resource Allocation, and set Mode to Fixed-allocation. You can enable NAT64 to make this a NAT64 IP pool.

    On the CLI:

    config firewall ippool

    edit <name>

    set type cgn-resource-allocation

    set startip <ip>

    set endip <ip>

    set arp-reply {disable | enable}

    set arp-intf <interface-name>

    set cgn-spa disable

    set cgn-fixedalloc enable

    set cgn-block-size <number-of-ports>

    set cgn-client-startip <ip>

    set cgn-client-endip <ip>

    set cgn-port-start <port>

    set cgn-port-end <port>

    set utilization-alarm-raise <usage-threshold>

    set utilization-alarm-clear <usage-threshold>

    set nat64 {disable | enable}

    end

    Also called deterministic NAT, a fixed allocation CGN resource allocation IP pool causes FortiOS to find the maximum possible block size, given the configured NAT resources and gives one block to each client.

    The number of clients that can use a fixed allocation CGN resource allocation IP pool is limited by the number of IP addresses in the pool. Since this is not an overload IP pool, ports are not re-used.

    You can define a fixed allocation IP pool by configuring the following:

    • External IP address range (start-ip and end-ip). Specifies the set of translation IP addresses available in the pool as a collection of IP prefixes with their prefix lengths. These are typically public-side addresses.
    • Internal or client IP address range (cgn-client-startip and cgn-client-endip). The range of internal addresses. This range must match or be a subset of the available source IP addresses.
    • Start port (cgn-port-start). The lowest port number in the port range. The default value is 5117.
    • End port (cgn-port-end). The highest possible port number in the port range. The default value is 65530
    • Port block size (cgn-block-size). When cgn-fixedallc is enabled, the cgn-block-size configuration is ignored because FortiOS calculates a block-size to find the maximum possible block size and gives one block to each client.
    • Enable or disable ARP reply (arp-reply) to reply to ARP requests for addresses in the external address range.
    • Optionally specify the interface (arp-intf) that replies to ARP requests.
    • Generate an SNMP trap when the usage of the resources defined by an IP pool exceeds a threshold (utilization-alarm-raise). The range is 50 to 100 per cent.
    • Generate an SNMP trap when the usage of the resources defined by an IP pool falls below this threshold (utilization-alarm-clear). The range is 40 to 100 per cent.
    • You can enable nat64 to make this a NAT64 IP pool.
    Previous
    Next

    Fixed allocation CGN IP pool

    Fixed allocation CGN IP pool

    On the GUI go to Policy & Objects > IP Pools > Create New > IP Pool. Set IP Pool Type to IPv4 IP Pool, set Type to CGN Resource Allocation, and set Mode to Fixed-allocation. You can enable NAT64 to make this a NAT64 IP pool.

    On the CLI:

    config firewall ippool

    edit <name>

    set type cgn-resource-allocation

    set startip <ip>

    set endip <ip>

    set arp-reply {disable | enable}

    set arp-intf <interface-name>

    set cgn-spa disable

    set cgn-fixedalloc enable

    set cgn-block-size <number-of-ports>

    set cgn-client-startip <ip>

    set cgn-client-endip <ip>

    set cgn-port-start <port>

    set cgn-port-end <port>

    set utilization-alarm-raise <usage-threshold>

    set utilization-alarm-clear <usage-threshold>

    set nat64 {disable | enable}

    end

    Also called deterministic NAT, a fixed allocation CGN resource allocation IP pool causes FortiOS to find the maximum possible block size, given the configured NAT resources and gives one block to each client.

    The number of clients that can use a fixed allocation CGN resource allocation IP pool is limited by the number of IP addresses in the pool. Since this is not an overload IP pool, ports are not re-used.

    You can define a fixed allocation IP pool by configuring the following:

    • External IP address range (start-ip and end-ip). Specifies the set of translation IP addresses available in the pool as a collection of IP prefixes with their prefix lengths. These are typically public-side addresses.
    • Internal or client IP address range (cgn-client-startip and cgn-client-endip). The range of internal addresses. This range must match or be a subset of the available source IP addresses.
    • Start port (cgn-port-start). The lowest port number in the port range. The default value is 5117.
    • End port (cgn-port-end). The highest possible port number in the port range. The default value is 65530
    • Port block size (cgn-block-size). When cgn-fixedallc is enabled, the cgn-block-size configuration is ignored because FortiOS calculates a block-size to find the maximum possible block size and gives one block to each client.
    • Enable or disable ARP reply (arp-reply) to reply to ARP requests for addresses in the external address range.
    • Optionally specify the interface (arp-intf) that replies to ARP requests.
    • Generate an SNMP trap when the usage of the resources defined by an IP pool exceeds a threshold (utilization-alarm-raise). The range is 50 to 100 per cent.
    • Generate an SNMP trap when the usage of the resources defined by an IP pool falls below this threshold (utilization-alarm-clear). The range is 40 to 100 per cent.
    • You can enable nat64 to make this a NAT64 IP pool.
    Previous
    Next