Fortinet white logo
Fortinet white logo

Hyperscale Firewall Guide

Fixed allocation CGN IP pool

Fixed allocation CGN IP pool

Also called deterministic NAT, a fixed allocation CGN resource allocation IP pool causes FortiOS to find the maximum possible block size, given the configured NAT resources and gives one block to each client.

The number of clients that can use a fixed allocation CGN resource allocation IP pool is limited by the number of IP addresses in the pool. Since this is not an overload IP pool, ports are not re-used.

On the GUI go to Policy & Objects > IP Pools > Create > IP Pool. Set IP Pool Type to IPv4 IP Pool, set Type to CGN Resource Allocation, and set Mode to Fixed-allocation. You can enable NAT64 to make this a NAT64 IP pool.

From the GUI

  1. Go to Policy & Objects > IP Pools.

  2. Select IP Pool (for IPv4 IP pools) or IPv6 IP Pool.

  3. Select Create New.

  4. Give the IP pool a Name.

  5. Set Type to CGN Resource Allocation.

  6. Set Mode to Fixed-Allocation.

  7. Configure the External IP Range to specify the set of translation IP addresses available in the pool as a collection of IP prefixes with their prefix lengths. These are typically public-side addresses.

  8. Configure the Internal IP Range to specify the range of internal or client IP addresses available in the pool. This range must match or be a subset of the available source IP addresses.

  9. Optionally Exclude IPs from the External IP Range. You can include multiple single IP addresses.

  10. Configure the Start port and End port to define the source port range for the IP pool.

  11. You can enable NAT64 to make this a NAT64 IP pool.

  12. Enable or disable ARP reply to reply to ARP requests for addresses in the external address range.

From the CLI

Use the following command to configure Fixed allocation CGN IP pools from the CLI:

config firewall ippool

edit <name>

set type cgn-resource-allocation

set startip <ip>

set endip <ip>

set arp-reply {disable | enable}

set arp-intf <interface-name>

set associated-interface <interface-name>

set cgn-spa disable

set cgn-overload disable

set cgn-fixedalloc enable

set cgn-client-ipv6shift <shift>

set cgn-client-startip <ip>

set cgn-client-endip <ip>

set cgn-port-start <port>

set cgn-port-end <port>

set utilization-alarm-raise <usage-threshold>

set utilization-alarm-clear <usage-threshold>

set nat64 {disable | enable}

set exclude-ip <ip>, <ip>, <ip> ...

end

You can define a fixed allocation IP pool by configuring the following:

  • External IP range (start-ip and end-ip). Specifies the set of translation IP addresses available in the pool as a collection of IP prefixes with their prefix lengths. These are typically public-side addresses.
  • Internal IP range (cgn-client-startip and cgn-client-endip). The range of internal or client IP addresses. This range must match or be a subset of the available source IP addresses.
  • Exclude IPs (exclude-ip). Specify external IP addresses that the CGN IP pool will not allocate. This is a security feature that allows you to exclude one or more IP addresses from being allocated if the IP pool could assign addresses that have been targeted by external attackers. You can only add single IP addresses. You cannot add IP address ranges. From the CLI you can use the ? to see how many IP addresses you can add. The limit depends on the FortiGate model.
  • Start port (cgn-port-start). The lowest port number in the port range. The default value is 5117.
  • End port (cgn-port-end). The highest possible port number in the port range. The default value is 65530
  • NAT64 (nat64). Enable to make this a NAT64 IP pool.

  • ARP reply (arp-reply). Enable to reply to ARP requests for addresses in the external address range.

CLI-only options:

  • Optionally specify the interface (arp-intf) that replies to ARP requests.
  • Optionally specify the interface associated with this IP pool (associated-interface).

  • For NAT64 IP pools, you can use the cgn-client-ipv6shift option to limit the matching of IPv6 client addresses. By default, in an IP pool, IPv6 addresses are matched based on all 128 bits of the address. You can use this option if you want client IPv6 IP addresses to be matched on fewer bits in the IP address. For example, if you want IPv6 addresses to match based on the lower 32 bits of the IPv6 address to match, you can set cgn-client-ipv6shift to 32.

  • Generate an SNMP trap when the usage of the resources defined by an IP pool exceeds a threshold (utilization-alarm-raise). The range is 50 to 100 per cent.

  • Generate an SNMP trap when the usage of the resources defined by an IP pool falls below a threshold (utilization-alarm-clear). The range is 40 to 100 per cent.

Fixed allocation CGN IP pool

Fixed allocation CGN IP pool

Also called deterministic NAT, a fixed allocation CGN resource allocation IP pool causes FortiOS to find the maximum possible block size, given the configured NAT resources and gives one block to each client.

The number of clients that can use a fixed allocation CGN resource allocation IP pool is limited by the number of IP addresses in the pool. Since this is not an overload IP pool, ports are not re-used.

On the GUI go to Policy & Objects > IP Pools > Create > IP Pool. Set IP Pool Type to IPv4 IP Pool, set Type to CGN Resource Allocation, and set Mode to Fixed-allocation. You can enable NAT64 to make this a NAT64 IP pool.

From the GUI

  1. Go to Policy & Objects > IP Pools.

  2. Select IP Pool (for IPv4 IP pools) or IPv6 IP Pool.

  3. Select Create New.

  4. Give the IP pool a Name.

  5. Set Type to CGN Resource Allocation.

  6. Set Mode to Fixed-Allocation.

  7. Configure the External IP Range to specify the set of translation IP addresses available in the pool as a collection of IP prefixes with their prefix lengths. These are typically public-side addresses.

  8. Configure the Internal IP Range to specify the range of internal or client IP addresses available in the pool. This range must match or be a subset of the available source IP addresses.

  9. Optionally Exclude IPs from the External IP Range. You can include multiple single IP addresses.

  10. Configure the Start port and End port to define the source port range for the IP pool.

  11. You can enable NAT64 to make this a NAT64 IP pool.

  12. Enable or disable ARP reply to reply to ARP requests for addresses in the external address range.

From the CLI

Use the following command to configure Fixed allocation CGN IP pools from the CLI:

config firewall ippool

edit <name>

set type cgn-resource-allocation

set startip <ip>

set endip <ip>

set arp-reply {disable | enable}

set arp-intf <interface-name>

set associated-interface <interface-name>

set cgn-spa disable

set cgn-overload disable

set cgn-fixedalloc enable

set cgn-client-ipv6shift <shift>

set cgn-client-startip <ip>

set cgn-client-endip <ip>

set cgn-port-start <port>

set cgn-port-end <port>

set utilization-alarm-raise <usage-threshold>

set utilization-alarm-clear <usage-threshold>

set nat64 {disable | enable}

set exclude-ip <ip>, <ip>, <ip> ...

end

You can define a fixed allocation IP pool by configuring the following:

  • External IP range (start-ip and end-ip). Specifies the set of translation IP addresses available in the pool as a collection of IP prefixes with their prefix lengths. These are typically public-side addresses.
  • Internal IP range (cgn-client-startip and cgn-client-endip). The range of internal or client IP addresses. This range must match or be a subset of the available source IP addresses.
  • Exclude IPs (exclude-ip). Specify external IP addresses that the CGN IP pool will not allocate. This is a security feature that allows you to exclude one or more IP addresses from being allocated if the IP pool could assign addresses that have been targeted by external attackers. You can only add single IP addresses. You cannot add IP address ranges. From the CLI you can use the ? to see how many IP addresses you can add. The limit depends on the FortiGate model.
  • Start port (cgn-port-start). The lowest port number in the port range. The default value is 5117.
  • End port (cgn-port-end). The highest possible port number in the port range. The default value is 65530
  • NAT64 (nat64). Enable to make this a NAT64 IP pool.

  • ARP reply (arp-reply). Enable to reply to ARP requests for addresses in the external address range.

CLI-only options:

  • Optionally specify the interface (arp-intf) that replies to ARP requests.
  • Optionally specify the interface associated with this IP pool (associated-interface).

  • For NAT64 IP pools, you can use the cgn-client-ipv6shift option to limit the matching of IPv6 client addresses. By default, in an IP pool, IPv6 addresses are matched based on all 128 bits of the address. You can use this option if you want client IPv6 IP addresses to be matched on fewer bits in the IP address. For example, if you want IPv6 addresses to match based on the lower 32 bits of the IPv6 address to match, you can set cgn-client-ipv6shift to 32.

  • Generate an SNMP trap when the usage of the resources defined by an IP pool exceeds a threshold (utilization-alarm-raise). The range is 50 to 100 per cent.

  • Generate an SNMP trap when the usage of the resources defined by an IP pool falls below a threshold (utilization-alarm-clear). The range is 40 to 100 per cent.