Fortinet white logo
Fortinet white logo

Hyperscale Firewall Guide

Hyperscale and standard FortiOS CGNAT feature comparison

Hyperscale and standard FortiOS CGNAT feature comparison

In many cases, standard FortiOS can provide many carrier grade NAT (CGNAT) features and, depending on the hardware platform, excellent CGNAT performance. Hyperscale FortiOS supports CGNAT with much higher connections per second performance, hardware session logging, and more CGNAT features but does not support these features for UTM traffic.You can license a FortiGate for Hyperscale, use hyperscale firewall VDOMs for non-UTM traffic and normal VDOMs for UTM traffic.

Hyperscale FortiOS also supports a few more CGNAT features than standard FortiOS. The following table breaks down the CGNAT features supported by hyperscale FortiOS and standard FortiOS:

CGNAT Feature Hyperscale FortiOS Standard FortiOS
PBA with no overloading

Yes

Port block allocation CGN IP pool.

No.

FortiOS PBA re-uses addresses.

PBA with overloading

  • Dynamic IP consistency

  • Port block allocation

  • Port reuse within block

  • Deterministic NAT

Yes

Overload with port-block-allocation CGN IP pool.

Yes

Port block allocation

PBA with NAT64

Yes

Overload with port-block-allocation CGN IP pool.

Yes

Port block allocation with NAT64

Single port allocation (SPA)
  • Dynamic IP consistency

  • No port reuse

  • Deterministic NAT

Yes

Single port allocation CGN IP pool.

No
Single port allocation (SPA) with overload
  • Dynamic IP consistency

  • Port reuse within the entire port range

  • Deterministic NAT

Yes

Overload with single port allocation CGN IP pool.

No
PBA, fixed allocation
  • Static IP consistency

  • Static port block allocation

  • No port reuse

  • Deterministic NAT

Yes

Fixed allocation CGN IP pool.

Yes

Fixed port range

PBA, Fixed Allocation

NAT64 configurable IPv6 source prefix

Yes

Fixed allocation CGN IP pool, when you enable NAT64 in a fixed allocation IP Pool, you can use cgn-client-ipv6shift to limit the matching of IPv6 client addresses.

Yes

Support for NAT64 in FPR IP pools.

Excluding multiple IPs

The exclude-ip option is available for all IP pool configurations.

Yes

See the description of the exclude-ip option in Port block allocation CGN IP pool.

Yes

IP pool groups

  • Streamlines hyperscale firewall policy configuration.

Yes

CGN resource allocation IP pool groups.

No

Port starting number

Default 5117. Can be changed using the Start port (cgn-port-start) option. The range is 1024 to 65535.

Default 5117. Can be changed, see Custom port ranges for PBA and FPR IP pools.

Bi-directional session TTL refresh timers

Yes

You can control whether idle outgoing or incoming or both outgoing and incoming sessions are terminated when the TTL is reached. See Hyperscale firewall VDOM session timeouts.

No

Endpoint Independent Mapping (EIM)

Yes

You can enable or disable EIM in a hyperscale firewall policy CGN resource allocation hyperscale firewall policies.

Yes

EIM + overloading (Reuse) is always enabled

Endpoint Independent Filtering (EIF) (also known as full-cone NAT

Yes

You can enable or disable EIF in a hyperscale firewall policy CGN resource allocation hyperscale firewall policies.

Partially

Interim logs for PBA sessions

Yes

Interim logging for CGN sessions.

Yes

Enhanced logging for NAT persistent sessions utilizing PBA.

Improved port selection randomness.

Yes

Enable port-random when creating a hyperscale firewall policy.

Yes

Enable port-random when creating a firewall policy. See Support for randomized port selection in IP pool mechanisms

Hyperscale and standard FortiOS CGNAT feature comparison

Hyperscale and standard FortiOS CGNAT feature comparison

In many cases, standard FortiOS can provide many carrier grade NAT (CGNAT) features and, depending on the hardware platform, excellent CGNAT performance. Hyperscale FortiOS supports CGNAT with much higher connections per second performance, hardware session logging, and more CGNAT features but does not support these features for UTM traffic.You can license a FortiGate for Hyperscale, use hyperscale firewall VDOMs for non-UTM traffic and normal VDOMs for UTM traffic.

Hyperscale FortiOS also supports a few more CGNAT features than standard FortiOS. The following table breaks down the CGNAT features supported by hyperscale FortiOS and standard FortiOS:

CGNAT Feature Hyperscale FortiOS Standard FortiOS
PBA with no overloading

Yes

Port block allocation CGN IP pool.

No.

FortiOS PBA re-uses addresses.

PBA with overloading

  • Dynamic IP consistency

  • Port block allocation

  • Port reuse within block

  • Deterministic NAT

Yes

Overload with port-block-allocation CGN IP pool.

Yes

Port block allocation

PBA with NAT64

Yes

Overload with port-block-allocation CGN IP pool.

Yes

Port block allocation with NAT64

Single port allocation (SPA)
  • Dynamic IP consistency

  • No port reuse

  • Deterministic NAT

Yes

Single port allocation CGN IP pool.

No
Single port allocation (SPA) with overload
  • Dynamic IP consistency

  • Port reuse within the entire port range

  • Deterministic NAT

Yes

Overload with single port allocation CGN IP pool.

No
PBA, fixed allocation
  • Static IP consistency

  • Static port block allocation

  • No port reuse

  • Deterministic NAT

Yes

Fixed allocation CGN IP pool.

Yes

Fixed port range

PBA, Fixed Allocation

NAT64 configurable IPv6 source prefix

Yes

Fixed allocation CGN IP pool, when you enable NAT64 in a fixed allocation IP Pool, you can use cgn-client-ipv6shift to limit the matching of IPv6 client addresses.

Yes

Support for NAT64 in FPR IP pools.

Excluding multiple IPs

The exclude-ip option is available for all IP pool configurations.

Yes

See the description of the exclude-ip option in Port block allocation CGN IP pool.

Yes

IP pool groups

  • Streamlines hyperscale firewall policy configuration.

Yes

CGN resource allocation IP pool groups.

No

Port starting number

Default 5117. Can be changed using the Start port (cgn-port-start) option. The range is 1024 to 65535.

Default 5117. Can be changed, see Custom port ranges for PBA and FPR IP pools.

Bi-directional session TTL refresh timers

Yes

You can control whether idle outgoing or incoming or both outgoing and incoming sessions are terminated when the TTL is reached. See Hyperscale firewall VDOM session timeouts.

No

Endpoint Independent Mapping (EIM)

Yes

You can enable or disable EIM in a hyperscale firewall policy CGN resource allocation hyperscale firewall policies.

Yes

EIM + overloading (Reuse) is always enabled

Endpoint Independent Filtering (EIF) (also known as full-cone NAT

Yes

You can enable or disable EIF in a hyperscale firewall policy CGN resource allocation hyperscale firewall policies.

Partially

Interim logs for PBA sessions

Yes

Interim logging for CGN sessions.

Yes

Enhanced logging for NAT persistent sessions utilizing PBA.

Improved port selection randomness.

Yes

Enable port-random when creating a hyperscale firewall policy.

Yes

Enable port-random when creating a firewall policy. See Support for randomized port selection in IP pool mechanisms