Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Hyperscale Firewall Guide

    Home FortiGate / FortiOS 7.6.0 Hyperscale Firewall Guide
    7.6.0
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.6
    6.2.9
    6.2.7
    6.2.6

    Overload with port-block-allocation CGN IP pool

    Overload with port-block-allocation CGN IP pool

    Overload with Port block allocation (PBA) reduces CGNAT logging overhead by creating a log entry only when a client first establishes a network connection and is assigned a port block. The number of log entries are reduced because a log entry is created when the port block is assigned, and not for each client connection. Overload causes FortiOS to re-use ports within a block, allowing for more possible connections before running out of ports.

    When all of the client sessions have ended, FortiOS releases the port block and writes another log message. You can also configure logging to only write a log message when the port block is released. See Configuring hardware logging.

    In general, because each customer environment is different, different configurations may be required to achieve optimal performance.

    PBA allocates a contiguous set of source translation endpoints called port blocks. These port blocks are associated to a client by one IP address and a block of ports. Port blocks are allocated on-demand and have a fixed size.

    Choose these settings carefully to adequately and efficiently service clients that may require a different number of simultaneous connections. Careful analysis and testing is required to find optimal values for the traffic conditions on your network.

    From the GUI

    1. Go to Policy & Objects > IP Pools.

    2. Select IP Pool.

    3. Select Create New.

    4. Give the IP pool a Name.

      Type is set to CGN Resource Allocation and can't be changed.

    5. Set Mode to Overload (Port Block Allocation).

    6. Configure the External IP Range to specify the set of translation IP addresses available in the pool as a collection of IP prefixes with their prefix lengths. These are typically public-side addresses.

    7. You can enable NAT64 to make this a NAT64 IP pool.

    8. Optionally Exclude IPs from the External IP Range. You can include multiple single IP addresses.

    9. Configure the Start port and End port to define the source port range for the IP pool.

    10. Configure the Block Size to set the number of ports allocated in a block.

    11. Enable or disable ARP reply to reply to ARP requests for addresses in the external address range.

    From the CLI

    Use the following command to configure Overload PBA CGN IP pools from the CLI:

    config firewall ippool

    edit <name>

    set type cgn-resource-allocation

    set startip <ip>

    set endip <ip>

    set arp-reply {disable | enable}

    set arp-intf <interface-name>

    set associated-interface <interface-name>

    set cgn-spa disable

    set cgn-overload enable

    set cgn-client-ipv6shift <shift>

    set cgn-block-size <number-of-ports>

    set cgn-port-start <port>

    set cgn-port-end <port>

    set utilization-alarm-raise <usage-threshold>

    set utilization-alarm-clear <usage-threshold>

    set nat64 {disable | enable}

    set exclude-ip <ip>, <ip>, <ip> ...

    end

    You can define an overload port-block allocation IP pool by configuring the following:

    • External IP range (start-ip and end-ip). Specifies the set of translation IP addresses available in the pool as a collection of IP prefixes with their prefix lengths. These are typically public-side addresses.

    • NAT64 (nat64). Enable to make this a NAT64 IP pool.

    • Exclude IPs (exclude-ip). Specify external IP addresses that the CGN IP pool will not allocate. This is a security feature that allows you to exclude one or more IP addresses from being allocated if the IP pool could assign addresses that have been targeted by external attackers. You can only add single IP addresses. You cannot add IP address ranges. From the CLI you can use the ? to see how many IP addresses you can add. The limit depends on the FortiGate model.
    • Start port (cgn-port-start). The lowest port number in the port range. The range is 1024 to 65535. The default value is 5117.
    • End port (cgn-port-end). The highest possible port number in the port range. The default value is 65530.
    • Block size (cgn-block-size). The number of ports allocated in a block. The block size can be from 64 to 4096 in incriments of 64 (for example, 64, 128, 192,..., 4096). The default value is 128. Use a smaller port block size to conserve available ports.
    • ARP reply (arp-reply). Enable to reply to ARP requests for addresses in the external address range.

    CLI-only options:

    • Optionally specify the interface (arp-intf) that replies to ARP requests.

    • Optionally specify the interface associated with this IP pool (associated-interface).

    • Generate an SNMP trap when the usage of the resources defined by an IP pool exceeds a threshold (utilization-alarm-raise). The range is 50 to 100 per cent.

    • Generate an SNMP trap when the usage of the resources defined by an IP pool falls below a threshold (utilization-alarm-clear). The range is 40 to 100 per cent.

    • When NAT64 is enabled , the option add-nat-64-route appears. This option is ignored by hyperscale firewall policies.

    • When NAT64 is enabled, the option subnet-broadcast-in-ippool appears. This option is enabled by default. If you disable this option, the subnetwork address and broadcast IP address are removed from the NAT64 IP pool. This configuration is required by some applications. If you set this option to disable you can't re-enable it.

    Previous
    Next

    Overload with port-block-allocation CGN IP pool

    Overload with port-block-allocation CGN IP pool

    Overload with Port block allocation (PBA) reduces CGNAT logging overhead by creating a log entry only when a client first establishes a network connection and is assigned a port block. The number of log entries are reduced because a log entry is created when the port block is assigned, and not for each client connection. Overload causes FortiOS to re-use ports within a block, allowing for more possible connections before running out of ports.

    When all of the client sessions have ended, FortiOS releases the port block and writes another log message. You can also configure logging to only write a log message when the port block is released. See Configuring hardware logging.

    In general, because each customer environment is different, different configurations may be required to achieve optimal performance.

    PBA allocates a contiguous set of source translation endpoints called port blocks. These port blocks are associated to a client by one IP address and a block of ports. Port blocks are allocated on-demand and have a fixed size.

    Choose these settings carefully to adequately and efficiently service clients that may require a different number of simultaneous connections. Careful analysis and testing is required to find optimal values for the traffic conditions on your network.

    From the GUI

    1. Go to Policy & Objects > IP Pools.

    2. Select IP Pool.

    3. Select Create New.

    4. Give the IP pool a Name.

      Type is set to CGN Resource Allocation and can't be changed.

    5. Set Mode to Overload (Port Block Allocation).

    6. Configure the External IP Range to specify the set of translation IP addresses available in the pool as a collection of IP prefixes with their prefix lengths. These are typically public-side addresses.

    7. You can enable NAT64 to make this a NAT64 IP pool.

    8. Optionally Exclude IPs from the External IP Range. You can include multiple single IP addresses.

    9. Configure the Start port and End port to define the source port range for the IP pool.

    10. Configure the Block Size to set the number of ports allocated in a block.

    11. Enable or disable ARP reply to reply to ARP requests for addresses in the external address range.

    From the CLI

    Use the following command to configure Overload PBA CGN IP pools from the CLI:

    config firewall ippool

    edit <name>

    set type cgn-resource-allocation

    set startip <ip>

    set endip <ip>

    set arp-reply {disable | enable}

    set arp-intf <interface-name>

    set associated-interface <interface-name>

    set cgn-spa disable

    set cgn-overload enable

    set cgn-client-ipv6shift <shift>

    set cgn-block-size <number-of-ports>

    set cgn-port-start <port>

    set cgn-port-end <port>

    set utilization-alarm-raise <usage-threshold>

    set utilization-alarm-clear <usage-threshold>

    set nat64 {disable | enable}

    set exclude-ip <ip>, <ip>, <ip> ...

    end

    You can define an overload port-block allocation IP pool by configuring the following:

    • External IP range (start-ip and end-ip). Specifies the set of translation IP addresses available in the pool as a collection of IP prefixes with their prefix lengths. These are typically public-side addresses.

    • NAT64 (nat64). Enable to make this a NAT64 IP pool.

    • Exclude IPs (exclude-ip). Specify external IP addresses that the CGN IP pool will not allocate. This is a security feature that allows you to exclude one or more IP addresses from being allocated if the IP pool could assign addresses that have been targeted by external attackers. You can only add single IP addresses. You cannot add IP address ranges. From the CLI you can use the ? to see how many IP addresses you can add. The limit depends on the FortiGate model.
    • Start port (cgn-port-start). The lowest port number in the port range. The range is 1024 to 65535. The default value is 5117.
    • End port (cgn-port-end). The highest possible port number in the port range. The default value is 65530.
    • Block size (cgn-block-size). The number of ports allocated in a block. The block size can be from 64 to 4096 in incriments of 64 (for example, 64, 128, 192,..., 4096). The default value is 128. Use a smaller port block size to conserve available ports.
    • ARP reply (arp-reply). Enable to reply to ARP requests for addresses in the external address range.

    CLI-only options:

    • Optionally specify the interface (arp-intf) that replies to ARP requests.

    • Optionally specify the interface associated with this IP pool (associated-interface).

    • Generate an SNMP trap when the usage of the resources defined by an IP pool exceeds a threshold (utilization-alarm-raise). The range is 50 to 100 per cent.

    • Generate an SNMP trap when the usage of the resources defined by an IP pool falls below a threshold (utilization-alarm-clear). The range is 40 to 100 per cent.

    • When NAT64 is enabled , the option add-nat-64-route appears. This option is ignored by hyperscale firewall policies.

    • When NAT64 is enabled, the option subnet-broadcast-in-ippool appears. This option is enabled by default. If you disable this option, the subnetwork address and broadcast IP address are removed from the NAT64 IP pool. This configuration is required by some applications. If you set this option to disable you can't re-enable it.

    Previous
    Next