Fortinet white logo
Fortinet white logo

Hyperscale Firewall Guide

Fixed allocation CGN IP pool

Fixed allocation CGN IP pool

On the GUI go to Policy & Objects > IP Pools > Create New > IP Pool. Set IP Pool Type to IPv4 IP Pool, set Type to CGN Resource Allocation, and set Mode to Fixed-allocation. You can enable NAT64 to make this a NAT64 IP pool.

On the CLI:

config firewall ippool

edit <name>

set type cgn-resource-allocation

set startip <ip>

set endip <ip>

set arp-reply {disable | enable}

set arp-intf <interface-name>

set cgn-spa disable

set cgn-fixedalloc enable

set cgn-block-size <number-of-ports>

set cgn-client-startip <ip>

set cgn-client-endip <ip>

set cgn-port-start <port>

set cgn-port-end <port>

set utilization-alarm-raise <usage-threshold>

set utilization-alarm-clear <usage-threshold>

set nat64 {disable | enable}

end

Also called deterministic NAT, a fixed allocation CGN resource allocation IP pool causes FortiOS to find the maximum possible block size, given the configured NAT resources and gives one block to each client.

The number of clients that can use a fixed allocation CGN resource allocation IP pool is limited by the number of IP addresses in the pool. Since this is not an overload IP pool, ports are not re-used.

You can define a fixed allocation IP pool by configuring the following:

  • External IP address range (start-ip and end-ip). Specifies the set of translation IP addresses available in the pool as a collection of IP prefixes with their prefix lengths. These are typically public-side addresses.
  • Internal or client IP address range (cgn-client-startip and cgn-client-endip). The range of internal addresses. This range must match or be a subset of the available source IP addresses.
  • Start port (cgn-port-start). The lowest port number in the port range. The default value is 5117.
  • End port (cgn-port-end). The highest possible port number in the port range. The default value is 65530
  • Port block size (cgn-block-size). When cgn-fixedallc is enabled, the cgn-block-size configuration is ignored because FortiOS calculates a block-size to find the maximum possible block size and gives one block to each client.
  • Enable or disable ARP reply (arp-reply) to reply to ARP requests for addresses in the external address range.
  • Optionally specify the interface (arp-intf) that replies to ARP requests.
  • Generate an SNMP trap when the usage of the resources defined by an IP pool exceeds a threshold (utilization-alarm-raise). The range is 50 to 100 per cent.
  • Generate an SNMP trap when the usage of the resources defined by an IP pool falls below this threshold (utilization-alarm-clear). The range is 40 to 100 per cent.
  • You can enable nat64 to make this a NAT64 IP pool.

Fixed allocation CGN IP pool

Fixed allocation CGN IP pool

On the GUI go to Policy & Objects > IP Pools > Create New > IP Pool. Set IP Pool Type to IPv4 IP Pool, set Type to CGN Resource Allocation, and set Mode to Fixed-allocation. You can enable NAT64 to make this a NAT64 IP pool.

On the CLI:

config firewall ippool

edit <name>

set type cgn-resource-allocation

set startip <ip>

set endip <ip>

set arp-reply {disable | enable}

set arp-intf <interface-name>

set cgn-spa disable

set cgn-fixedalloc enable

set cgn-block-size <number-of-ports>

set cgn-client-startip <ip>

set cgn-client-endip <ip>

set cgn-port-start <port>

set cgn-port-end <port>

set utilization-alarm-raise <usage-threshold>

set utilization-alarm-clear <usage-threshold>

set nat64 {disable | enable}

end

Also called deterministic NAT, a fixed allocation CGN resource allocation IP pool causes FortiOS to find the maximum possible block size, given the configured NAT resources and gives one block to each client.

The number of clients that can use a fixed allocation CGN resource allocation IP pool is limited by the number of IP addresses in the pool. Since this is not an overload IP pool, ports are not re-used.

You can define a fixed allocation IP pool by configuring the following:

  • External IP address range (start-ip and end-ip). Specifies the set of translation IP addresses available in the pool as a collection of IP prefixes with their prefix lengths. These are typically public-side addresses.
  • Internal or client IP address range (cgn-client-startip and cgn-client-endip). The range of internal addresses. This range must match or be a subset of the available source IP addresses.
  • Start port (cgn-port-start). The lowest port number in the port range. The default value is 5117.
  • End port (cgn-port-end). The highest possible port number in the port range. The default value is 65530
  • Port block size (cgn-block-size). When cgn-fixedallc is enabled, the cgn-block-size configuration is ignored because FortiOS calculates a block-size to find the maximum possible block size and gives one block to each client.
  • Enable or disable ARP reply (arp-reply) to reply to ARP requests for addresses in the external address range.
  • Optionally specify the interface (arp-intf) that replies to ARP requests.
  • Generate an SNMP trap when the usage of the resources defined by an IP pool exceeds a threshold (utilization-alarm-raise). The range is 50 to 100 per cent.
  • Generate an SNMP trap when the usage of the resources defined by an IP pool falls below this threshold (utilization-alarm-clear). The range is 40 to 100 per cent.
  • You can enable nat64 to make this a NAT64 IP pool.