Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Hyperscale Firewall Guide

    Home FortiGate / FortiOS 7.6.1 Hyperscale Firewall Guide
    7.6.1
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.6
    6.2.9
    6.2.7
    6.2.6

    CGN resource allocation hyperscale firewall policies

    CGN resource allocation hyperscale firewall policies

    You can use hyperscale firewall policies to add CGN options to IPv4 or NAT64 firewall policies.

    Note

    The number of firewall policies that can be added to a hyperscale firewall VDOM is limited to 15,000. For more information, see About the 15,000 policy per hyperscale VDOM limit.

    From the GUI

    Use the following steps to add CGNAT firewall policies to a hyperscale firewall VDOM from the GUI:

    1. Go to Policy & Objects > Firewall Policy > Create New.
    2. Configure incoming and outgoing interfaces and the source and destination addresses and other standard firewall options as required.
    3. If you are configuring an IPv4, IPv6, NAT64, or NAT46 hyperscale firewall policy you can also configure the following CGN resource allocation options:
    • IP Pool Configuration select one or more CGN resource allocation IP pools or CGN resource allocation IP pool groups. All of the IP pools or IP pool groups must have the same mode and their source IP addresses must not overlap.
    • CGN Session Quota to limit the concurrent sessions available for a source IP address.
    • CGN Resource Quota to limit the number of port blocks assigned to a source IP address.
    • Enable or disable Endpoint Independent Filtering.
    • Enable or disable Endpoint Independent Mapping.

  • Optionally enable hardware logging by selecting Log Hyperscale SPU Offload Traffic and selecting a Log Server Group.

    • From the CLI

    Use the following options to add a IPv4 CGN resource allocation hyperscale firewall policy to a hyperscale firewall VDOM:

    config firewall policy

    edit <id>

    set action accept

    set srcaddr <address>

    set dstaddr <address>

    set nat enable

    set ippool enable

    set poolname {<cgn-ippool> | <cgn-ippool-group>}...

    set cgn-session-quota <quota>

    set cgn-resource-quota <quota>

    set cgn-eif {enable| disable}

    set cgn-eim {enable| disable}

    set cgn-log-server-grp <group-name>

    end

    Use the following options to add a NAT64 CGN resource allocation hyperscale firewall policy to a hyperscale firewall VDOM:

    config firewall policy

    edit <id>

    set action accept

    set srcaddr <address>

    set dstaddr <address>

    set nat64 enable

    set ippool enable

    set poolname {<cgn-ippool> | <cgn-ippool-group>}...

    set cgn-session-quota <quota>

    set cgn-resource-quota <quota>

    set cgn-eif {enable| disable}

    set cgn-sw-eif-ctrl {enable| disable}

    set cgn-eim {enable| disable}

    set cgn-log-server-grp <group-name>

    end

    You can define a CGN resource allocation hyperscale firewall policy by configuring the following:

    IP Pool Configuration (poolname) select one or more CGN IP pools or IP pool groups to apply CGN resource allocation IP pools to the firewall policy. To be able to add IP pools, NAT or NAT64 and from the CLI ippool must be enabled and the addresses in the IP pools must overlap with the Destination Address (dstaddr).

    CGN session quota (cgn-session-quota) limit the number of concurrent sessions available for a client IP address (effectively the number of sessions per user). The range is 0 to 16777215 (the default). The default setting effectively means there is no quota.

    CGN resource quota (cgn-resource-quota) set a quota for the number port blocks available for a client IP address (effectively the number of port blocks per client IP address). Only applies if the firewall policy includes CGN IP pools with port block sizes. The range is 1 to 16 and the default is 16.

    Note

    You can also set global session quotas for:

    Endpoint independent filtering (cgn-eif) enable or disable Endpoint Independent Filtering (EIF). Disabled by default. If another server attempts to connect to a public IP and port which is used by an existing session, when EIF is enabled, the NP7 will create the session and reuse the mapping for the existing session.

    Note

    EIF sessions can only be created until the destination NAT engine DSE timer expires. You can use the dse-timeout option of the config system npu command to set the DSE timer. The default DSE timeout is 10 seconds. See dse-timeout <seconds>.

    If your FortiGate has multiple NP7 processors, depending on whether or not you are enabling EIF in hyperscale firewall policies, you may want to use the nss-threads-option of the config system npu command to optimize performance, see nss-threads-option {4T-EIF | 4T-NOEIF | 2T}.

    When EIF is not enabled, a server attempting to connect to the public IP and port will fail.

    Example EIF scenario: Client-A has an existing session, {A.a, B.b, S.s}. When another server S1.s1 attempts to connect to public address and port B.b, when EIF is enabled, the NP7 creates a new session {A.a, B.b, S1.s1}. When EIF is disabled, the new session will be dropped unless there is an incoming firewall policy

    Enabling cgn-eif is recommended by RFC 4787 for client applications that require this behavior. For more information, see Endpoint Independent Filtering in the Carrier-Grade NAT Architecture Guide.

    cgn-sw-eif-ctrl enable or disable software EIF control. This option is only available if cgn-eif is set to enable. Software EIF control uses a session table created and maintained in software by the CPU. To create this session table you need to enable host logging (see Global hardware logging settings). With host logging enabled, NP7 processors send session information to the CPU, which maintains a session table for NP7 sessions in software. You do not need to enable logging in the same firewall policy. Enabling host logging can reduce overall FortiGate performance because the FortiGate CPUs handle hardware logging instead of offloading logging to the NP7 processors.

    • When disabled (the default) the DSE timer is never refreshed after the initial outgoing session is received, which means EIF incoming sessions can only be accepted until the DSE timer expires.

    • When enabled, the DSE timer does not expire until all SNAT EIF sessions related to the initial session have timed out. Once this happens, EIF expires when the DSE timeout is reached. Some applications may need cgn-sw-eif-ctrl to be enabled to work as expected.

    Endpoint independent mapping (cgn-eim) enable or disable Endpoint Independent Mapping (EIM). If a client uses an existing source port to connect to a different server, the NP7 reuses the existing mapping to create new sessions. This practice is more compatible for some applications to work with NAT devices, also it is more efficient. A new resource allocation counts towards the resource quota. If EIM is triggered, the new session does not cause new resource allocation and the new session only counts towards the session quota. For more information, see Endpoint Independent Mapping in the Carrier-Grade NAT Architecture Guide.

    For example, Client-A has an existing session, represented as {A.a, B.b, S.s}, where A.a is the client IP and port, B.b is the mapped IP and port, and S.s is the server IP and port. When EIM is enabled, if the client uses A.a to connect to another server S1.s1, the NP7 reuses the public IP and port at B.b to create session that can be represented as {A.a, B.b, S1.s1}.

    Note
    About hairpinning

    You can use EIF to support hairpinning. A hairpinning configuration allows a client to communicate with a server that is on the same network as the client, but the communication takes place through the FortiGate because the client only knows the external address of the server.

    To set up a hyperscale firewall hairpinning configuration, you need to enable EIF in the firewall policy. As well, the IP pool added to the policy should include addresses that overlap with the firewall policy destination address. In many cases you can do this by setting the firewall policy destination address to all.

    If the policy uses a specific address or address range for the destination address, then this destination address and the IP pool address range should have some overlap.

    Log Server Group (cgn-log-server-grp) the name of the hardware logging server group to be used for hardware logging for traffic processed by this firewall policy. See Hardware logging.

    Previous
    Next

    CGN resource allocation hyperscale firewall policies

    CGN resource allocation hyperscale firewall policies

    You can use hyperscale firewall policies to add CGN options to IPv4 or NAT64 firewall policies.

    Note

    The number of firewall policies that can be added to a hyperscale firewall VDOM is limited to 15,000. For more information, see About the 15,000 policy per hyperscale VDOM limit.

    From the GUI

    Use the following steps to add CGNAT firewall policies to a hyperscale firewall VDOM from the GUI:

    1. Go to Policy & Objects > Firewall Policy > Create New.
    2. Configure incoming and outgoing interfaces and the source and destination addresses and other standard firewall options as required.
    3. If you are configuring an IPv4, IPv6, NAT64, or NAT46 hyperscale firewall policy you can also configure the following CGN resource allocation options:
    • IP Pool Configuration select one or more CGN resource allocation IP pools or CGN resource allocation IP pool groups. All of the IP pools or IP pool groups must have the same mode and their source IP addresses must not overlap.
    • CGN Session Quota to limit the concurrent sessions available for a source IP address.
    • CGN Resource Quota to limit the number of port blocks assigned to a source IP address.
    • Enable or disable Endpoint Independent Filtering.
    • Enable or disable Endpoint Independent Mapping.

  • Optionally enable hardware logging by selecting Log Hyperscale SPU Offload Traffic and selecting a Log Server Group.

    • From the CLI

    Use the following options to add a IPv4 CGN resource allocation hyperscale firewall policy to a hyperscale firewall VDOM:

    config firewall policy

    edit <id>

    set action accept

    set srcaddr <address>

    set dstaddr <address>

    set nat enable

    set ippool enable

    set poolname {<cgn-ippool> | <cgn-ippool-group>}...

    set cgn-session-quota <quota>

    set cgn-resource-quota <quota>

    set cgn-eif {enable| disable}

    set cgn-eim {enable| disable}

    set cgn-log-server-grp <group-name>

    end

    Use the following options to add a NAT64 CGN resource allocation hyperscale firewall policy to a hyperscale firewall VDOM:

    config firewall policy

    edit <id>

    set action accept

    set srcaddr <address>

    set dstaddr <address>

    set nat64 enable

    set ippool enable

    set poolname {<cgn-ippool> | <cgn-ippool-group>}...

    set cgn-session-quota <quota>

    set cgn-resource-quota <quota>

    set cgn-eif {enable| disable}

    set cgn-sw-eif-ctrl {enable| disable}

    set cgn-eim {enable| disable}

    set cgn-log-server-grp <group-name>

    end

    You can define a CGN resource allocation hyperscale firewall policy by configuring the following:

    IP Pool Configuration (poolname) select one or more CGN IP pools or IP pool groups to apply CGN resource allocation IP pools to the firewall policy. To be able to add IP pools, NAT or NAT64 and from the CLI ippool must be enabled and the addresses in the IP pools must overlap with the Destination Address (dstaddr).

    CGN session quota (cgn-session-quota) limit the number of concurrent sessions available for a client IP address (effectively the number of sessions per user). The range is 0 to 16777215 (the default). The default setting effectively means there is no quota.

    CGN resource quota (cgn-resource-quota) set a quota for the number port blocks available for a client IP address (effectively the number of port blocks per client IP address). Only applies if the firewall policy includes CGN IP pools with port block sizes. The range is 1 to 16 and the default is 16.

    Note

    You can also set global session quotas for:

    Endpoint independent filtering (cgn-eif) enable or disable Endpoint Independent Filtering (EIF). Disabled by default. If another server attempts to connect to a public IP and port which is used by an existing session, when EIF is enabled, the NP7 will create the session and reuse the mapping for the existing session.

    Note

    EIF sessions can only be created until the destination NAT engine DSE timer expires. You can use the dse-timeout option of the config system npu command to set the DSE timer. The default DSE timeout is 10 seconds. See dse-timeout <seconds>.

    If your FortiGate has multiple NP7 processors, depending on whether or not you are enabling EIF in hyperscale firewall policies, you may want to use the nss-threads-option of the config system npu command to optimize performance, see nss-threads-option {4T-EIF | 4T-NOEIF | 2T}.

    When EIF is not enabled, a server attempting to connect to the public IP and port will fail.

    Example EIF scenario: Client-A has an existing session, {A.a, B.b, S.s}. When another server S1.s1 attempts to connect to public address and port B.b, when EIF is enabled, the NP7 creates a new session {A.a, B.b, S1.s1}. When EIF is disabled, the new session will be dropped unless there is an incoming firewall policy

    Enabling cgn-eif is recommended by RFC 4787 for client applications that require this behavior. For more information, see Endpoint Independent Filtering in the Carrier-Grade NAT Architecture Guide.

    cgn-sw-eif-ctrl enable or disable software EIF control. This option is only available if cgn-eif is set to enable. Software EIF control uses a session table created and maintained in software by the CPU. To create this session table you need to enable host logging (see Global hardware logging settings). With host logging enabled, NP7 processors send session information to the CPU, which maintains a session table for NP7 sessions in software. You do not need to enable logging in the same firewall policy. Enabling host logging can reduce overall FortiGate performance because the FortiGate CPUs handle hardware logging instead of offloading logging to the NP7 processors.

    • When disabled (the default) the DSE timer is never refreshed after the initial outgoing session is received, which means EIF incoming sessions can only be accepted until the DSE timer expires.

    • When enabled, the DSE timer does not expire until all SNAT EIF sessions related to the initial session have timed out. Once this happens, EIF expires when the DSE timeout is reached. Some applications may need cgn-sw-eif-ctrl to be enabled to work as expected.

    Endpoint independent mapping (cgn-eim) enable or disable Endpoint Independent Mapping (EIM). If a client uses an existing source port to connect to a different server, the NP7 reuses the existing mapping to create new sessions. This practice is more compatible for some applications to work with NAT devices, also it is more efficient. A new resource allocation counts towards the resource quota. If EIM is triggered, the new session does not cause new resource allocation and the new session only counts towards the session quota. For more information, see Endpoint Independent Mapping in the Carrier-Grade NAT Architecture Guide.

    For example, Client-A has an existing session, represented as {A.a, B.b, S.s}, where A.a is the client IP and port, B.b is the mapped IP and port, and S.s is the server IP and port. When EIM is enabled, if the client uses A.a to connect to another server S1.s1, the NP7 reuses the public IP and port at B.b to create session that can be represented as {A.a, B.b, S1.s1}.

    Note
    About hairpinning

    You can use EIF to support hairpinning. A hairpinning configuration allows a client to communicate with a server that is on the same network as the client, but the communication takes place through the FortiGate because the client only knows the external address of the server.

    To set up a hyperscale firewall hairpinning configuration, you need to enable EIF in the firewall policy. As well, the IP pool added to the policy should include addresses that overlap with the firewall policy destination address. In many cases you can do this by setting the firewall policy destination address to all.

    If the policy uses a specific address or address range for the destination address, then this destination address and the IP pool address range should have some overlap.

    Log Server Group (cgn-log-server-grp) the name of the hardware logging server group to be used for hardware logging for traffic processed by this firewall policy. See Hardware logging.

    Previous
    Next