Version:

Version:

Version:

Version:


Table of Contents

Hyperscale Firewall Guide

Download PDF
Copy Link

How the NP7 hash-config affects CGNAT

On FortiGates with multiple NP7processors, you can use the following command to configure how the internal switch fabric (ISF) distributes sessions to the NP7 processors.

config system global

config system npu

set hash-config {5-tuple | src-ip}

end

Changing the hash-config causes the FortiGate to restart.

5-tuple, the default. To distribute sessions a hash is created for each session based on the session's source and destination IP address, IP protocol, and source and destination TCP/UDP port.

src-ip, sessions are distributed by source IP address. All sessions from a source IP address are processed by the same NP7 processor.

In most cases 5-tuple distribution provides the best performance. However, CGNAT resource quotas are distributed differently depending on the hash-config.

For example, you could use the following command to configure an IPv4 CGN resource allocation hyperscale firewall policy:

config firewall policy

edit <id>

set action accept

set dstaddr <address>

set nat enable

set ippool enable

set poolname {<cgn-ippool> | <cgn-ippool-group>}...

set cgn-session-quota <quota>

set cgn-resource-quota <quota>

set cgn-eif {enable| disable}

set cgn-eim {enable| disable}

set cgn-log-server-grp <group-name>

end

The cgn-resource-quota option sets a quota for the number port blocks available for a client IP address (effectively the number of port blocks per client IP address). When hash-config is set to src-ip, each NP7 processor has the same cgn-resource-quota and the quota is applied to all traffic from a given source address.

When hash-config is set to 5-tuple, the number of blocks in the resource quota are divided evenly among each NP7 processor and only a portion of the resource quota is available on each NP7 processor. So to make sure each NP7 has access to the intended number of port blocks, you should adjust the cgn-session-quota to limit the number of sessions available for each client IP address. The intended resource quota should be multiplied by the number of NP7 processors that the FortiGate has to find the value to set as the session quota.

For example, the FortiGate-4200F has four NP7 processors. If you want each client IP address to have a resource quota of 2 port blocks, you should set cgn-session-quota using the following calculation:

<number of NP7 processors> x <intended cgn-resource-quota> = <cgn-session-quota>

For the FortiGate-4200F the calculation would be:

4 x 2 = 8

For a FortiGate-4200F to impose a resource quota of 2 port blocks, set cgn-session-quota to 8.

The FortiGate-4400F has six NP7 processors. If you want each client IP address to have a resource quota of 3 port blocks, you should set cgn-session-quota using the following calculation:

6 x 3 = 18

For a FortiGate-4200F to impose a resource quota of 3 port blocks, set cgn-session-quota to 18.

How the NP7 hash-config affects CGNAT

On FortiGates with multiple NP7processors, you can use the following command to configure how the internal switch fabric (ISF) distributes sessions to the NP7 processors.

config system global

config system npu

set hash-config {5-tuple | src-ip}

end

Changing the hash-config causes the FortiGate to restart.

5-tuple, the default. To distribute sessions a hash is created for each session based on the session's source and destination IP address, IP protocol, and source and destination TCP/UDP port.

src-ip, sessions are distributed by source IP address. All sessions from a source IP address are processed by the same NP7 processor.

In most cases 5-tuple distribution provides the best performance. However, CGNAT resource quotas are distributed differently depending on the hash-config.

For example, you could use the following command to configure an IPv4 CGN resource allocation hyperscale firewall policy:

config firewall policy

edit <id>

set action accept

set dstaddr <address>

set nat enable

set ippool enable

set poolname {<cgn-ippool> | <cgn-ippool-group>}...

set cgn-session-quota <quota>

set cgn-resource-quota <quota>

set cgn-eif {enable| disable}

set cgn-eim {enable| disable}

set cgn-log-server-grp <group-name>

end

The cgn-resource-quota option sets a quota for the number port blocks available for a client IP address (effectively the number of port blocks per client IP address). When hash-config is set to src-ip, each NP7 processor has the same cgn-resource-quota and the quota is applied to all traffic from a given source address.

When hash-config is set to 5-tuple, the number of blocks in the resource quota are divided evenly among each NP7 processor and only a portion of the resource quota is available on each NP7 processor. So to make sure each NP7 has access to the intended number of port blocks, you should adjust the cgn-session-quota to limit the number of sessions available for each client IP address. The intended resource quota should be multiplied by the number of NP7 processors that the FortiGate has to find the value to set as the session quota.

For example, the FortiGate-4200F has four NP7 processors. If you want each client IP address to have a resource quota of 2 port blocks, you should set cgn-session-quota using the following calculation:

<number of NP7 processors> x <intended cgn-resource-quota> = <cgn-session-quota>

For the FortiGate-4200F the calculation would be:

4 x 2 = 8

For a FortiGate-4200F to impose a resource quota of 2 port blocks, set cgn-session-quota to 8.

The FortiGate-4400F has six NP7 processors. If you want each client IP address to have a resource quota of 3 port blocks, you should set cgn-session-quota using the following calculation:

6 x 3 = 18

For a FortiGate-4200F to impose a resource quota of 3 port blocks, set cgn-session-quota to 18.