CGN resource allocation hyperscale firewall policies
The number of firewall policies that can be added to a hyperscale firewall VDOM is limited to 15,000. For more information, see About the 15,000 policy per hyperscale VDOM limit. |
Use the following options to add a IPv4 CGN resource allocation hyperscale firewall policy to a hyperscale firewall VDOM:
config firewall policy
edit <id>
set action accept
set dstaddr <address>
set nat enable
set ippool enable
set poolname {<cgn-ippool> | <cgn-ippool-group>}...
set cgn-session-quota <quota>
set cgn-resource-quota <quota>
set cgn-eif {enable| disable}
set cgn-eim {enable| disable}
set cgn-log-server-grp <group-name>
end
Use the following options to add a NAT64 CGN resource allocation hyperscale firewall policy to a hyperscale firewall VDOM:
config firewall policy
edit <id>
set action accept
set dstaddr <address>
set nat64 enable
set ippool enable
set poolname {<cgn-ippool> | <cgn-ippool-group>}...
set cgn-session-quota <quota>
set cgn-resource-quota <quota>
set cgn-eif {enable| disable}
set cgn-eim {enable| disable}
set cgn-log-server-grp <group-name>
end
poolname
select one or more CGN IP pools or IP pool groups to apply CGN resource allocation IP pools to the firewall policy. To be able to add IP pools, nat
or nat64
, and ippool
must be enabled and the addresses in the IP pools must overlap with the dstaddr
address.
cgn-session-quota
limit the number of concurrent sessions available for a client IP address (effectively the number of sessions per user). The range is 0 to 16777215 (the default). The default setting effectively means there is no quota.
cgn-resource-quota
set a quota for the number port blocks available for a client IP address (effectively the number of port blocks per client IP address). Only applies if the firewall policy includes CGN IP pools with port block sizes. The range is 1 to 16 and the default is 16. If your FortiGate has multiple NP7 processors, the resource quota should be set differently depending on the hash-config
used by the internal switch fabric (ISF). See Recommended NP7 traffic distribution for optimal CGNAT performance for details.
cgn-eif
enable or disable Endpoint Independent Filtering (EIF). Disabled by default. if another server attempts to connect to a public IP and port which is used by an existing session, when EIF is enabled, the NP7 will create the session and reuse the mapping for the existing session. When EIF is not enabled, the server attempts to connect to the public IP and port will fail. This practice is recommended in RFC 4787 for client applications that require this behavior.
For example, Client-A has an existing session, {A.a, B.b, S.s}. When another server S1.s1 attempts to connect to public address and port B.b, when EIF is enabled, the NP7 creates a new session as {A.a, B.b, S1.s1}. When EIF is disabled, such connection will be checked in full-policy and probably dropped.
If your FortiGate has multiple NP7 processors, depending on whether or not you are enabling EIF in hyperscale firewall policies, you may want to use the nss-threads-option
of the config system npu
command to optimize performance, see Optimizing NP7 network session setup (NSS) engine performance.
cgn-eim
enable or disable Endpoint Independent Mapping (EIM). If a client uses an existing source port to connect to a different server, the NP7 reuses the existing mapping to create new sessions. This practice is more compatible for some applications to work with NAT devices, also it is more efficient. A new resource allocation counts towards the resource quota. If EIM is triggered, the new session does not cause new resource allocation and the new session only counts towards the session quota.
For example, Client-A has an existing session, represented as {A.a, B.b, S.s}, where A.a is the client IP and port, B.b is the mapped IP and port, and S.s is the server IP and port. When EIM is enabled, if the client uses A.a to connect to another server S1.s1, the NP7 reuses the public IP and port at B.b to create session that can be represented as {A.a, B.b, S1.s1}.
cgn-log-server-grp
the name of the hardware logging server group. See Hardware logging.
From the GUI
Use the following steps to add CGNAT firewall policies to a hyperscale firewall VDOM from the GUI:
- Go to Policy & Objects and select Firewall Policy.
- Configure source and destination interfaces and addresses and other standard firewall options as required.
- If you are configuring an IPv4 or NAT64 hyperscale firewall policy you can also configure the following CGN resource allocation options:
- IP Pool Configuration select one or more CGN resource allocation IP pools or CGN resource allocation IP pool groups. All of the IP pools or IP pool groups must have the same mode and their source IP addresses must not overlap.
- CGN Session Quota to limit the concurrent sessions available for a source IP address.
- CGN Resource Quota to limit the number of port blocks assigned to a source IP address.
- Enable or disable Endpoint Independent Filtering.
- Enable or disable Endpoint Independent Mapping.
Optionally enable hardware logging by selecting Log Hyperscale SPU Offload Traffic and selecting a Log Server Group.