Skip to main content
robdog
robdog
New Member
May 23, 2017
Solved

Is it possible to mitigate aggressive reuse of source NAT ports

  • May 23, 2017
  • 1 reply
  • 10201 views

Hi, I'm new to the forums so I bid you all a good hello first and foremost.

 

I'm currently seeing an issue due to the aggressive nature in which our 100D ha cluster is reusing source nat ports for address translation. 

 

This is causing an issue with one of our web services, where by the source port is reused too quickly and causes the session data to be dropped. I believe the issue is caused by the server we are connecting to having TIME_WAIT configured for a 2 minute interval and our fortinet reusing the source port after a few seconds.

 

Would creating a policy to increase the time to live session timer help in this instance ? I'm just concerned by increasing the amount of time sessions are able to sit within the firewall's memory this will potentially have a negative effect on the performance even if it does rectify our issue.

 

We had a Cisco ASA HA setup previously which we never encountered this issue, it seems its related to the way fortios applies port address translation

 

Any suggestions would be appreciated.

 

    Best answer by emnoc

    I would do it different

     

    1: set a ippool(s)  vrs the egress SNAT

     

    2: use the ippool in that  fwpolic

     

    optional

     

    3: set ipool with port-allocation  types ( RTFM for vfortiOS tu understand the port block type, take  aloook at the link below for examples  )

     

    e.g

    config firewall ippool     edit "SNATPOOLA"         set type port-block-allocation         set startip 1.1.1.1         set endip 1.1.1.1         set block-size 224         set num-blocks-per-user 128     next end

     

    http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-firewall-52/Firewall%20Objects/IP%20Pools.htm

     

     

    Now with any of the above you can set  pools  per firewall for heavy used fwpolicies and monitor the usage

     

     

     

     

    Ken

    Ken

     

     

     

    1 reply

    robdog
    robdogAuthor
    New Member
    May 24, 2017

    I'm not sure this will work but I will test and update this thread if it does as this issue is a pain in the a$$. So if I can help anyone else with a similar problem then great :)

     

    configured two custom services for http and https with an increased time_wait timer. The value set is on the basis that the http(s) server at the remote end will be using the default time_wait value of 2 minutes. So by this logic the time_wait delta *SHOULD* be 4 minutes or 240 seconds.

     

    Config;

    config firewall service custom edit "cstmsvc.pat.http.80" set category "Web Access" set comment "Custom service for TCP port reuse" set tcp-portrange 80 set tcp-timewait-timer 240 next

    edit "cstm.svc.pat.https.443" set category "Web Access" set comment "Custom service for TCP port reuse" set tcp-portrange 443 set tcp-timewait-timer 240 next end

     

    Cheers 

    emnoc
    emnocAnswer
    New Member
    May 24, 2017

    I would do it different

     

    1: set a ippool(s)  vrs the egress SNAT

     

    2: use the ippool in that  fwpolic

     

    optional

     

    3: set ipool with port-allocation  types ( RTFM for vfortiOS tu understand the port block type, take  aloook at the link below for examples  )

     

    e.g

    config firewall ippool     edit "SNATPOOLA"         set type port-block-allocation         set startip 1.1.1.1         set endip 1.1.1.1         set block-size 224         set num-blocks-per-user 128     next end

     

    http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-firewall-52/Firewall%20Objects/IP%20Pools.htm

     

     

    Now with any of the above you can set  pools  per firewall for heavy used fwpolicies and monitor the usage

     

     

     

     

    Ken

    Ken

     

     

     

    Terms & ConditionsAccessibility statement