How the NP7 hash-config affects CGNAT
On FortiGates with multiple NP7processors, you can use the following command to configure how the internal switch fabric (ISF) distributes sessions to the NP7 processors.
config system global
config system npu
set hash-config {5-tuple | src-ip}
end
Changing the hash-config
causes the FortiGate to restart.
5-tuple
, the default. To distribute sessions a hash is created for each session based on the session's source and destination IP address, IP protocol, and source and destination TCP/UDP port.
src-ip
, sessions are distributed by source IP address. All sessions from a source IP address are processed by the same NP7 processor.
In most cases 5-tuple
distribution provides the best performance. However, CGNAT resource quotas are distributed differently depending on the hash-config
.
For example, you could use the following command to configure an IPv4 CGN resource allocation hyperscale firewall policy:
config firewall policy
edit <id>
set action accept
set dstaddr <address>
set nat enable
set ippool enable
set poolname {<cgn-ippool> | <cgn-ippool-group>}...
set cgn-session-quota <quota>
set cgn-resource-quota <quota>
set cgn-eif {enable| disable}
set cgn-eim {enable| disable}
set cgn-log-server-grp <group-name>
end
The cgn-resource-quota
option sets a quota for the number port blocks available for a client IP address (effectively the number of port blocks per client IP address). When hash-config is set to src-ip
, each NP7 processor has the same cgn-resource-quota
and the quota is applied to all traffic from a given source address.
When hash-config
is set to 5-tuple
, the number of blocks in the resource quota are divided evenly among each NP7 processor and only a portion of the resource quota is available on each NP7 processor. So to make sure each NP7 has access to the intended number of port blocks, you should adjust the cgn-session-quota
to limit the number of sessions available for each client IP address. The intended resource quota should be multiplied by the number of NP7 processors that the FortiGate has to find the value to set as the session quota.
For example, the FortiGate-4200F has four NP7 processors. If you want each client IP address to have a resource quota of 2 port blocks, you should set cgn-session-quota
using the following calculation:
<number of NP7 processors> x <intended cgn-resource-quota> = <cgn-session-quota>
For the FortiGate-4200F the calculation would be:
4 x 2 = 8
For a FortiGate-4200F to impose a resource quota of 2 port blocks, set cgn-session-quota
to 8.
The FortiGate-4400F has six NP7 processors. If you want each client IP address to have a resource quota of 3 port blocks, you should set cgn-session-quota
using the following calculation:
6 x 3 = 18
For a FortiGate-4200F to impose a resource quota of 3 port blocks, set cgn-session-quota
to 18.