Fortinet black logo

Hyperscale Firewall Guide

How the NP7 hash-config affects CGNAT

How the NP7 hash-config affects CGNAT

In most cases Setting hash-config to 5-tuple distribution provides the best performance. However, CGNAT resource quotas are distributed differently depending on the hash-config.

For example, you could use the following command to configure an IPv4 CGN resource allocation hyperscale firewall policy:

config firewall policy

edit <id>

set action accept

set dstaddr <address>

set nat enable

set ippool enable

set poolname {<cgn-ippool> | <cgn-ippool-group>}...

set cgn-session-quota <quota>

set cgn-resource-quota <quota>

set cgn-eif {enable| disable}

set cgn-eim {enable| disable}

set cgn-log-server-grp <group-name>

end

The cgn-resource-quota option sets a quota for the number port blocks available for a client IP address (effectively the number of port blocks per client IP address). When hash-config is set to src-ip, each NP7 processor has the same cgn-resource-quota and the quota is applied to all traffic from a given source address.

When hash-config is set to 5-tuple, the number of blocks in the resource quota are divided evenly among each NP7 processor and only a portion of the resource quota is available on each NP7 processor. So to make sure each NP7 has access to the intended number of port blocks, you should adjust the cgn-session-quota to limit the number of sessions available for each client IP address. The intended resource quota should be multiplied by the number of NP7 processors that the FortiGate has to find the value to set as the session quota.

For example, the FortiGate-4200F has four NP7 processors. If you want each client IP address to have a resource quota of 2 port blocks, you should set cgn-session-quota using the following calculation:

<number of NP7 processors> x <intended cgn-resource-quota> = <cgn-session-quota>

For the FortiGate-4200F the calculation would be:

4 x 2 = 8

For a FortiGate-4200F to impose a resource quota of 2 port blocks, set cgn-session-quota to 8.

The FortiGate-4400F has six NP7 processors. If you want each client IP address to have a resource quota of 3 port blocks, you should set cgn-session-quota using the following calculation:

6 x 3 = 18

For a FortiGate-4200F to impose a resource quota of 3 port blocks, set cgn-session-quota to 18.

On FortiGates with an odd number of NP7 processors, for example the FortiGate-3500F and 3501F, when hash-config is set to src-dst-ip, the number of blocks in the resource quota are divided evenly among each NP7 processor and only a portion of the resource quota is available on each NP7 processor. So to make sure each NP7 has access to the intended number of port blocks, you should adjust the cgn-session-quota to limit the number of sessions available for each client IP address. The intended resource quota should be multiplied by the number of NP7 processors that the FortiGate has to find the value to set as the session quota.

For example, the FortiGate-3500F has three NP7 processors. If you want each client IP address to have a resource quota of 2 port blocks, you should set cgn-session-quota using the following calculation:

<number of NP7 processors> x <intended cgn-resource-quota> = <cgn-session-quota>

For the FortiGate-3500F the calculation would be:

3 x 2 = 6

How the NP7 hash-config affects CGNAT

In most cases Setting hash-config to 5-tuple distribution provides the best performance. However, CGNAT resource quotas are distributed differently depending on the hash-config.

For example, you could use the following command to configure an IPv4 CGN resource allocation hyperscale firewall policy:

config firewall policy

edit <id>

set action accept

set dstaddr <address>

set nat enable

set ippool enable

set poolname {<cgn-ippool> | <cgn-ippool-group>}...

set cgn-session-quota <quota>

set cgn-resource-quota <quota>

set cgn-eif {enable| disable}

set cgn-eim {enable| disable}

set cgn-log-server-grp <group-name>

end

The cgn-resource-quota option sets a quota for the number port blocks available for a client IP address (effectively the number of port blocks per client IP address). When hash-config is set to src-ip, each NP7 processor has the same cgn-resource-quota and the quota is applied to all traffic from a given source address.

When hash-config is set to 5-tuple, the number of blocks in the resource quota are divided evenly among each NP7 processor and only a portion of the resource quota is available on each NP7 processor. So to make sure each NP7 has access to the intended number of port blocks, you should adjust the cgn-session-quota to limit the number of sessions available for each client IP address. The intended resource quota should be multiplied by the number of NP7 processors that the FortiGate has to find the value to set as the session quota.

For example, the FortiGate-4200F has four NP7 processors. If you want each client IP address to have a resource quota of 2 port blocks, you should set cgn-session-quota using the following calculation:

<number of NP7 processors> x <intended cgn-resource-quota> = <cgn-session-quota>

For the FortiGate-4200F the calculation would be:

4 x 2 = 8

For a FortiGate-4200F to impose a resource quota of 2 port blocks, set cgn-session-quota to 8.

The FortiGate-4400F has six NP7 processors. If you want each client IP address to have a resource quota of 3 port blocks, you should set cgn-session-quota using the following calculation:

6 x 3 = 18

For a FortiGate-4200F to impose a resource quota of 3 port blocks, set cgn-session-quota to 18.

On FortiGates with an odd number of NP7 processors, for example the FortiGate-3500F and 3501F, when hash-config is set to src-dst-ip, the number of blocks in the resource quota are divided evenly among each NP7 processor and only a portion of the resource quota is available on each NP7 processor. So to make sure each NP7 has access to the intended number of port blocks, you should adjust the cgn-session-quota to limit the number of sessions available for each client IP address. The intended resource quota should be multiplied by the number of NP7 processors that the FortiGate has to find the value to set as the session quota.

For example, the FortiGate-3500F has three NP7 processors. If you want each client IP address to have a resource quota of 2 port blocks, you should set cgn-session-quota using the following calculation:

<number of NP7 processors> x <intended cgn-resource-quota> = <cgn-session-quota>

For the FortiGate-3500F the calculation would be:

3 x 2 = 6