Skip to main content
eduplaa
eduplaa
New Member
July 22, 2016
Question

What is the behavior of a FG when NAT session table is full ?

  • July 22, 2016
  • 1 reply
  • 19957 views

Hello,

 

I searched through documentation without finding any key information about this question.

 

So imagine a Fortigate appliance natting flows to a specific IP with a unique source IP.

Imagine now that the appliance reaches its source port or maybe session table limit.

What will do the appliance with next TCP syn ?

 

Will it :

- drop the packets ?

- forward it without NATting source ?

- reuse an already used dynamic source port ?

- or any idea ?

 

If you got any information about this, please let me know asap.

 

Best regards,

 

    1 reply

    emnoc
    emnoc
    New Member
    July 22, 2016

    1st

     

    i never heard of a nat-table session limits 

     

    2nd

     

    the firewalls are "session" limit ( based on model/cpu/mem ), normal behavior is for the traffic to stop when we hit the limits

     

    You need to properly size the  firewall for the max sustain sessions and the number of sessions open per secs ( new ). Keep in mind the 1st few packets in a session are not off-loaded and actually uses  "bytes" of data.

     

     

    eduplaa
    eduplaaAuthor
    New Member
    July 25, 2016

    Hello,

     

    Thank you emnoc for your answer.

    I agree with you about the standard behavior of a firewall if its session table is full, but it was not my question.

     

    I still believe a NAT Table has always a limit, imposed by manufacturer (ie fortinet Central NAT Table entries) or by user configured parameters.

    Let me explain what I mean for user specified parameters. When a TCP SYN reaches a sNAT equipment, the equipment will translate the source IP, and regularly the source port, right ? 

    Now imagine you use a single IP for sNAT, and that you have specified a source-port range including 64000 ports. If you got more than 64000 clients simultaneously connected, how could the NAT equipment do the job without any source-port available ? So the NAT table, or NAT pool, is exhausted. Do you agree ?

    Maybe I should call it a session table, but this is not the firewall one, this is the NAT one.

     

    Maybe someone could confirm (or not) the behavior of a NAT table full Fortigate ?

      emnoc
      emnoc
      New Member
      July 25, 2016

      yes that's correct, a single  ipv4 address will have ephemeral range of 1024-64k address, but that's not a nat-table issues that a ephemeral port issue.

       

      In the above example, that will be a "clash" condition and the diag sys session will show outcomes when you have a clash and yes with no ephemeral port available, that session will not make it out the firewall.

       

      e.g

       

      kenfwd $  diag sys session stat | grep lash misc info:     session_count=96939 setup_rate=959 exp_count=1369 clash=923665   <----look here 

       

      So if you need more ephemeral ports, you need a big SNAT pool. AFAIK, no matrix or max value are listed for just"nat or xlate" tables & per-hardware device.

       

       

       

       

       

       

      Terms & ConditionsAccessibility statement