FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
bdickie_FTNT
Staff
Staff
Article Id 196785

Description

 

This article describes various ways that NAT firewalls assign unused ports to NAT sessions including the method that FortiOS uses.  This article also briefly describes some examples of the limitations of the FortiOS approach.


Scope

 

FortiGate v4.2.9/v4.3.2 and later.


Solution

 

Consider the following idealized topology for a university that allows its students to connect to the Internet through a FortiGate unit:

Figure 1: Example university Internet connection topology

bdickie_FD30357_Firewall_nat_example.jpg

The university does not give a publicly routable IP address to its students.  Instead each student uses DHCP to obtain an IP address from the 10.0.0.0/8 range from the FortiGate unit.  The FortiGate unit then uses Network Address Port Translation (NAPT) to translate all traffic so that it appears to come from IP address 192.168.1.1.

For example, consider student A (IP address 10.78.33.97) who wants to connect to search engine (IP address 172.20.120.2) and sends a packet with the following IP addresses and port numbers:
 
src-ip: 10.78.33.97
dst-ip: 172.20.120.2
src-port: 10000
dst-port: 80

When this packet passes through the FortiGate unit with NAT enabled the packet is modified to be:
 
src-ip: 192.168.1.1
dst-ip: 172.20.120.2
src-port: 46372
dst-port: 80

where 192.168.1.1 is the external IP address of the FortiGate unit and 46372 is an unused port chosen by the FortiGate.

The following sections describe three solutions to choosing the unused port.  These solutions provide some context for the last section which describes how FortiOS chooses an unused port.

Global pool:
In this approach, there is a single pool of ports that are available for assignment.  When a port is assigned it is removed from the pool.  Because the port is removed from the pool, it is not possible to assign the same port twice. Once a port is no longer needed for NAT it is returned to the pool so that it can be assigned again.

For example, if the range is from 0x13FD (5117) to 0xFFFC (65532) then there are 0xFFFD (60416) possible ports that can be simultaneously used (the reason for choosing this range is described below). The maximum number of simultaneous connections is 60416.  This maximum is independent of the transport protocol.

This approach was one of the first approaches used to choosing a NAT port because it is simple to implement.  It is viable if the number of connections is unlikely to reach the pool size, for example in the case of a NAT firewall for home use.  However, it is not really a viable solution for a large university or ISP that would usually be processing thousands of simultaneous sessions.

This is not the approach that FortiOS uses.

Global per-protocol pool:
Using a global per-protocol pool extends the global pool approach by having a separate pool for TCP and UDP.  The chosen pool is a function of the protocol used.  With the same range of 60416 ports, there are 60416 for ports UDP and 60416 ports for TCP, resulting in a total of 120832 ports.  The result is twice as many available ports, but this still would not be enough for a university or ISP.

This is not the approach that FortiOS uses.

Per NAT IP pool:
Using a per NAT IP pool extends the approach further so that rather than just a per-protocol pool, the pool is also determined by the NAT IP.  Thus, the pool is a function of the protocol and the NAT IP.  In the topology shown in Figure 1 the NAT IP is 192.168.1.1.  If there is only one NAT IP then this approach is no different from global per-protocol pools.  However, consider the topology shown in Figure 2 with two separate Internet connections and thus two NAT IP addresses 192.168.1.1 and 192.168.2.2.

Figure 2: Example university Internet connection topology with two Internet connections:

bdickie_FD30357_Firewall_nat_example_two.jpg

If the FortiGate configuration includes equal-cost multipath (ECMP) routing, both Internet connections can be used simultaneously and the maximum number of connections is N*R*P where N is the number of NAT IP addresses, R is the port range, and P is the number of protocols.  So for the case where there are two NAT IPs, the range is 60416 and the protocols are TCP and UDP then the maximum number of simultaneous connections is:

2*60416*2 = 241,664

This solution scales with the number of NAT IPs that can be deployed and so could feasibly be used by a university or a small ISP.

This is not the approach that FortiOS uses.

Per NAT IP, destination IP, port, and protocol pool:
This is the approach that FortiOS uses.

Using a per NAT IP, destination IP, port, and protocol pool is a further refinement that expands the pool to be a function of the protocol, NAT IP, destination IP and destination port.

The reason for using these attributes to determine the pool is a consequence of the session-based design of the FortiOS firewall.  When a TCP connection is made through a FortiGate unit, a session is created and two indexes are created for the session.  The FortiGate unit uses these indexes to guide matching traffic to the session.

One index is for traffic flowing in the same direction as the packet that initiated the creation of the session:
 
src-ip: 10.78.33.97
dst-ip: 172.20.120.2
proto: TCP
src-port: 10000
dst-port: 80

and the other index is for traffic flowing in the opposite/reply direction:
 
src-ip: 172.20.120.2
dst-ip: 192.168.1.1
proto: TCP
src-port: 80
dst-port: 46372

Where 46372 is the chosen NAT port. In both cases when traffic matches either of these indexes the session that the traffic belongs to can be uniquely identified.

Using a per NAT IP, destination IP, port, and protocol pool, when choosing the NAT port FortiOS only has to ensure that the chosen port combined with the other four attributes are unique to uniquely identify the session. So for example, if student A simultaneously makes a connection to the search engine (destination IP address 172.20.120.2) on port 443 this would create another session and the index in the reply direction would be:
 
src-ip: 172.20.120.2
dst-ip: 192.168.1.1
proto: TCP
src-port: 443
dst-port: NP

The value of NP can be any value as long as the five values together are unique.  For example, FortiOS could choose 46372 again:
 
src-ip: 172.20.120.2
dst-ip: 192.168.1.1
proto: TCP
src-port: 443
dst-port: 46372

This is acceptable because:
 
src-ip: 172.20.120.2
dst-ip: 192.168.1.1
proto: TCP
src-port: 80
dst-port: 46372

And:
 
src-ip: 172.20.120.2
dst-ip: 192.168.1.1
proto: TCP
src-port: 443
dst-port: 46372

Have different src-port values.

The result of using the per NAT IP, destination IP, port, and protocol pool approach is that a pool of 60416 ports are available for each unique combination of src-ip, dst-ip, proto and src-port.

The maximum number of simultaneous connections that can be supported is N*R*P*D*Dp where N is the number of NAT IP addresses, R is the port range, P is the number of protocols, D is the number of unique destination IP addresses and Dp the number of unique destination ports.

Considering the large number of destination IP addresses available, the number of simultaneous connections that can be supported is very large. To get an idea of how large, for one destination IP address and one NAT IP address the calculation would be N=1, R=60416, P=2, D=1 and Dp=60416:

1 * 60,416 * 2 * 1 * 60,416 = 7,300,186,112.

A problem with this calculation is that not all 60,416 possible destination ports are used.  In fact for many organizations, most Internet traffic is web traffic using destination port 80 and all using the TCP protocol.  So the pool size limit for web traffic to one destination IP address from one NAT IP address using the TCP protocol would be N=1, R=60416, P=1, D=1 and Dp=1:

1* 60,416 * 1 * 1 * 1 = 60,416

Using the topology in Figure 1, for students simultaneously connecting to the search engine, the social networking and the video sharing sites on TCP port 80 then assuming each site uses one IP address a maximum of 60,416 simultaneous connections are allowed to each site or 60,416 * 3 = 181,248 connections in total.

Many large public web sites may use round-robin DNS to rotate through at least four IP addresses.  If the search engine and the video sharing site did this with an even balance of IP usage the result would be a maximum of 4 * 60,416 = 241,664 connections to the search engine, 241,664 connections to the video sharing site and 60,416 connections to the social networking site for a total of 543,744 different connections supported by the single FortiGate unit with one NAT IP and for a total of 9 destination IP addresses and one destination port.

 

Related Article:

Technical Note: Source NAT port range has been changed on FortiOS firmware versions 4.2.9 and 4.3.2 ...