Skip to main content
sg32
sg32
New Member
January 2, 2025
Question

Fortigate NAT Use Dynamic IP Pool with 2 service providers

  • January 2, 2025
  • 3 replies
  • 1827 views

Hello and thank you in advance for any help.  

 

We have 2 service providers with 2 different ip address blocks.    These service providers are load balanced.   How can I use the NAT dynamic IP pool with these 2 different outbound IP blocks. #fortigate v.7.4.6

 

outbound policyoutbound policy

3 replies

Dhruvin_patel
Staff
Dhruvin_patel
Staff
January 2, 2025

Greetings,

 

This document will help you to associate the IPpool in case where you have two different wan connections, https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-associate-a-NAT-pool-IP-pool-to-a-physical/ta-p/189738

 

config firewall ippool
    edit <IP_Pool_1>
        set associated-interface <port wan1>
    next
    edit <IP_Pool_2>
        set associated-interface <port wan2>
    next
end

 

Regards!

If you have found a solution, please like and accept it to make it easily accessible for others.

    sg32
    sg32Author
    New Member
    January 9, 2025

    I read the NAT documentation for The fortigate and NAT session's clash mainly due to alot of requests to the same destination ip.    This usually happens to DNS servers.   Fortigate01 # diag sys session stat misc info: session_count=268953 setup_rate=1916 exp_count=15 reflect_count=0 clash=64960661.  Clash count is really high.  That is what i would like to fix. 

    dingjerry_FTNT
    Staff
    dingjerry_FTNT
    Staff
    January 2, 2025

    Hi @sg32 ,

     

    You may also try with Central SNAT:

     

    https://docs.fortinet.com/document/fortigate/7.4.6/administration-guide/421028/central-snat

      sg32
      sg32Author
      New Member
      January 9, 2025

      Central nat may help. But the traffic that is clashing seems only to be DNS and secure dns.   To google and apple.   I dont want to go central nat route unless i have to due to complexity.   How would you fix my issue? 

      sg32
      sg32Author
      New Member
      January 9, 2025

      I have an issues with Session Clashes.   

      //Diag message

      Fortigate01 # diag sys session stat
      misc info: session_count=268953 setup_rate=1916 exp_count=15 reflect_count=0 clash=64960661
      memory_tension_drop=0 ephemeral=0/3211264 removeable=0 extreme_low_mem=0
      npu_session_count=103007
      nturbo_session_count=102950
      delete=2497, flush=2, dev_down=75/304
      session walkers: active=0, vf-277, dev-74, saddr-0, npu-0, wildcard-0
      TCP sessions:
      15 in NONE state
      74409 in ESTABLISHED state
      153 in SYN_SENT state
      21 in SYN_RECV state
      126 in FIN_WAIT state
      1148 in TIME_WAIT state
      3858 in CLOSE state
      2301 in CLOSE_WAIT state
      firewall error stat:
      error1=00000000
      error2=00000000
      error3=00000000
      error4=00000000
      tt=00000000
      cont=00000008
      ips_recv=100d071e
      policy_deny=01514ab5
      av_recv=00000d8a
      fqdn_count=00000014
      fqdn6_count=00000003
      global: ses_limit=0 ses6_limit=0 rt_limit=0 rt6_limit=0

      //End 

       

      Im pretty sure it is only a dns and secure dns problem. 

      The clash details do not state which protocol is causing the issue UDP or TCP.   I read https://community.fortinet.com/t5/FortiGate/Technical-Tip-Avoid-NAT-port-exhaustion/ta-p/321941

      and this document states that i should lower the TTL for DNS. 

       

      What should I do? 

      Terms & ConditionsAccessibility statement