Fortinet white logo
Fortinet white logo

Hyperscale Firewall Guide

Recommended NP7 traffic distribution for optimal CGNAT performance

Recommended NP7 traffic distribution for optimal CGNAT performance

On FortiGates with multiple NP7 processors, you can use the following command to configure how the internal switch fabric (ISF) distributes sessions to the NP7 processors.

config system global

config system npu

set hash-config {src-dst-ip | 5-tuple | src-ip}

end

Changing the hash-config causes the FortiGate to restart.

Note

A configuration change that causes a FortiGate to restart can disrupt the operation of an FGCP cluster. If possible, you should make this configuration change to the individual FortiGates before setting up the cluster. If the cluster is already operating, you should temporarily remove the secondary FortiGate(s) from the cluster, change the configuration of the individual FortiGates and then re-form the cluster. You can remove FortiGate(s) from a cluster using the Remove Device from HA cluster button on the System > HA GUI page. For more information, see Disconnecting a FortiGate.

src-ip, (the default) sessions are distributed by source IP address. All sessions from a source IP address are processed by the same NP7 processor. src-ip is the recommended setting for optimal CGNAT performance. Other hash-config settings can distribute client sessions from a single source address to multiple NP7 processors. This can result in CGNAT sessions not being established or timing out when expected. As well, using src-ip guarantees that all sessions from a given source IP address use the same public source IP address. This is not guaranteed if you select the other hash-config settings. For more information, see NPU traffic distribution in the Carrier-Grade NAT Architecture Guide.

5-tuple, use 5-tupple source and destination IP address, IP protocol, and source and destination TCP/UDP port hashing. This option is available on FortiGates with 2 to the power of x NP7 processors (Where x is 2, 3, 4). Currently 5-tuple is available on FortiGates with 2, 4, and 16 NP7 processors. Using 5-tuple distribution can result in some CGNAT sessions not being established or timing out when expected. As well, using 5-tuple may cause sessions from a single client source IP address to be assigned different public source IP addresses.

src-dst-ip, use 2-tupple source and destination IP address hashing. This option is available on FortiGates with a number of NP7 processors that don't add up to 2 to the power of x (for example, FortiGates with 3 or 6 NP7 processors). Using src-dst-ip distribution can result in some CGNAT sessions not being established or timing out when expected. As well, using src-dst-ip may cause sessions from a single client source IP address to be assigned different public source IP addresses.

Recommended NP7 traffic distribution for optimal CGNAT performance

Recommended NP7 traffic distribution for optimal CGNAT performance

On FortiGates with multiple NP7 processors, you can use the following command to configure how the internal switch fabric (ISF) distributes sessions to the NP7 processors.

config system global

config system npu

set hash-config {src-dst-ip | 5-tuple | src-ip}

end

Changing the hash-config causes the FortiGate to restart.

Note

A configuration change that causes a FortiGate to restart can disrupt the operation of an FGCP cluster. If possible, you should make this configuration change to the individual FortiGates before setting up the cluster. If the cluster is already operating, you should temporarily remove the secondary FortiGate(s) from the cluster, change the configuration of the individual FortiGates and then re-form the cluster. You can remove FortiGate(s) from a cluster using the Remove Device from HA cluster button on the System > HA GUI page. For more information, see Disconnecting a FortiGate.

src-ip, (the default) sessions are distributed by source IP address. All sessions from a source IP address are processed by the same NP7 processor. src-ip is the recommended setting for optimal CGNAT performance. Other hash-config settings can distribute client sessions from a single source address to multiple NP7 processors. This can result in CGNAT sessions not being established or timing out when expected. As well, using src-ip guarantees that all sessions from a given source IP address use the same public source IP address. This is not guaranteed if you select the other hash-config settings. For more information, see NPU traffic distribution in the Carrier-Grade NAT Architecture Guide.

5-tuple, use 5-tupple source and destination IP address, IP protocol, and source and destination TCP/UDP port hashing. This option is available on FortiGates with 2 to the power of x NP7 processors (Where x is 2, 3, 4). Currently 5-tuple is available on FortiGates with 2, 4, and 16 NP7 processors. Using 5-tuple distribution can result in some CGNAT sessions not being established or timing out when expected. As well, using 5-tuple may cause sessions from a single client source IP address to be assigned different public source IP addresses.

src-dst-ip, use 2-tupple source and destination IP address hashing. This option is available on FortiGates with a number of NP7 processors that don't add up to 2 to the power of x (for example, FortiGates with 3 or 6 NP7 processors). Using src-dst-ip distribution can result in some CGNAT sessions not being established or timing out when expected. As well, using src-dst-ip may cause sessions from a single client source IP address to be assigned different public source IP addresses.