Technical Tip: Understanding NAT port allocation on Chassis (6000 and 7000 Series)

Description

This article describes How NAT ports are allocated in FortiGate-6000F, FortiGate-7000E, FortiGate-7000F.

Scope

FortiGate. Change in version 6.4.8, Introduced a new CLI to dynamically re-allocate SNAT source ports among the remaining enabled FPCs or FPMs and is enabled by default:

config load-balance setting

    set nat-source-port {chassis-slots | enabled-slots}

end

• chassis-slots: SNAT source ports are statically assigned to all FPCs and remain unchanged even if an FPC goes offline, reducing available ports but keeping active sessions unaffected.
• enabled-slots: SNAT source ports are dynamically distributed among active FPCs, ensuring all ports remain available. However, if reallocation occurs during traffic processing, some active sessions may be lost.

Before version v6.4.8 and below, this NAT port allocation was fixed based on Chassis model and couldn't change even if the FPC/FPM was not in use.

Solution

The total no of NAT ports allocated in 6k/7k are the same as in FortiOS. The only difference here is that this range is divided equally across the worker blades. This creates certain unexpected behavior on chassis series if it’s not configured appropriately. 

Scenario 1:
When traffic comes with a fixed source port less than 1024 with fixed dport and dst_ip, there is a restriction apply per device. In FortiOS, when original-source-port < 1024, the translated source-port will be in the range of [512,1024). That is the reason for this restriction.
In chassis, this range gets divided across worker blades and if the traffic is notload balanced across workers evenly, then, we will hit the NAT port is exhausted earlier than expected.

For example, when traffic comes with sport 500, dport 500 and destination IP is 208.54.85.64 the total no of sessions per device is limited to 512 sessions and this range is divided by the of worker blades in the chassis.
Here in this example, with one IP in the NAT pool with overload enabled, we get to see 'NAT port is exhausted' messages as shown below, as soon as 85 such sessions hits on any given worker blade in a FortiGate-6300F chassis.

Work around here is to allow more no of IP addresses in the NAT pool. After allowing 5 IPs, 426 sessions are allowed per worker blade before receiving NAT port is exhausted message .

 

 

The behavior is different when the sport is =>1024, This 512 session limit per unit does not apply here.

Shown below are the test results with a traffic generator.
In this example, sport is 1024, dport 80, dst_ip 12.0.0.1 are fixed  and only src ip is changing.

 

 

Scenario 2.
When NAT allocation  with PB block is assigned, this config will be applied to each blade individually.

Since each FPM can see the same client IP, it can allocate more resource than configured as a different range of ports are allocated in each blades as shown below on a FortiGate-6300F.

 

 

 

 

 

 

For example, with below IP pool settings on a FortiGate-6300F, one client can have (block-size 512/num-blocks-per-user 4) 2048 ports on each worker blade.
That is (6x2048) 12,288 ports on FortiGate-6300F with 6 worker blades; meaning 12,288 sessionson the unit per client IP.

Work around here is to reduce no of ports per blade by adjusting 'num-blocks-per-user' and 'num-blocks-per-user'.

 

Related article:

Technical Note: How FortiOS selects unused NAT ports