Hyperscale and standard FortiOS CGNAT feature comparison
In many cases, standard FortiOS can provide many carrier grade NAT (CGNAT) features and, depending on the hardware platform, excellent CGNAT performance. Hyperscale FortiOS supports CGNAT with much higher connections per second performance, hardware session logging, and more CGNAT features but does not support these features for UTM traffic.You can license a FortiGate for Hyperscale, use hyperscale firewall VDOMs for non-UTM traffic and normal VDOMs for UTM traffic.
Hyperscale FortiOS also supports a few more CGNAT features than standard FortiOS. The following table breaks down the CGNAT features supported by hyperscale FortiOS and standard FortiOS:
CGNAT Feature | Hyperscale FortiOS | Standard FortiOS |
---|---|---|
PBA with no overloading |
Yes |
No. FortiOS PBA re-uses addresses.
|
PBA with overloading
|
Yes |
Yes |
PBA with NAT64 |
Yes |
Yes |
Single port allocation (SPA)
|
Yes |
No |
Single port allocation (SPA) with overload
|
Yes | No |
PBA, fixed allocation
|
Yes |
Yes |
Excluding multiple IPs The |
Yes See the description of the |
Yes |
IP pool groups
|
Yes |
No |
Port starting number |
Default 5117. Can be changed using the Start port ( |
5117 |
Bi-directional session TTL refresh timers |
Yes You can control whether idle outgoing or incoming or both outgoing and incoming sessions are terminated when the TTL is reached. See Hyperscale firewall VDOM session timeouts. |
No |
Endpoint Independent Mapping (EIM) |
Yes You can enable or disable EIM in a hyperscale firewall policy CGN resource allocation hyperscale firewall policies. |
Yes EIM + overloading (Reuse) is always enabled |
Endpoint Independent Filtering (EIF) |
Yes You can enable or disable EIF in a hyperscale firewall policy CGN resource allocation hyperscale firewall policies. |
Partially
|
Interim logs for PBA sessions |
No |
Yes, see Enhanced logging for NAT persistent sessions utilizing PBA. |