Background: Hyperscale firewall CGNAT configuration starts by creating one or more CGN resource allocation IP pools. There are five different types or modes of CGNAT resource allocation IP pools, though only four support the 'Dynamic IP consistency' feature. Refer to this link for documentation regarding each mode and the supported features:
CGN resource allocation IP pools
In many deployments, service providers might restrict access to their services to a single source IP, so users may encounter outages and service issues if the sessions going to the same destination are source NAT’d with multiple external IPs. ‘Dynamic IP consistency’ fixes this issue by ensuring that a user is always allocated PBAs from the same public IP address, if possible.
A definition of "Dynamic IP Consistency" is available here:
Dynamic IP consistency
Bear in mind that 'Dynamic IP consistency' is dependent on the 'hash-config' setting under ‘config system npu’, which is used to configure how the internal switch fabric (ISF) load-balances sessions across NP7 processors.
The default setting for ‘hash-config’ is dependent on the number of NP7 processors present on the FortiGate (‘5-tuple’ for models with an even number of NP7 processors and ‘src-dst-ip’ for models with an odd number of NP7 processors). The following shows the CLI commands that will display this information, as well as sample output from a FortiGate-3500F:
FortiGate-3500F (global) # dia npu np7 info
SN : FG3K5Fxxxxxxxx
nr_chip : 3
np_0 : 0000:2a:00.0
np_1 : 0000:69:00.0
np_2 : 0000:aa:00.0
FortiGate-3500F (global) # config sys npu
FortiGate-3500F (npu) # get | grep hash
hash-config : src-dst-ip
hash-tbl-spread : enable
One issue that can occur when ‘hash-config’ is set to ‘5-tuple’ or ‘src-dst-ip' is that sessions from a given client may be distributed across multiple NP7 processors.
While this is beneficial for performance, it can result in one client’s sessions being NAT’ed across multiple public IPs.
To resolve this issue, it is suggested to set ‘hash-config’ to ‘src-ip’, which results in all sessions from a given source IP being processed by the same NP7 processor:
config system npu
set hash-config src-ip
end
Be aware that changing ‘hash-config’ will cause the FortiGate to restart.
Verification:
The following example demonstrates a CGNAT configuration on a FortiGate-3500F and the impact of the ‘hash-config’ option:
First, a CGNAT IP Pool set to ‘overload with port-block-allocation’ mode is created:
config firewall ippool
edit "Dynamic-Nat-pool"
set type cgn-resource-allocation
set startip 10.200.200.1
set endip 10.200.200.3
set arp-intf "Vlan901"
set cgn-overload enable
next
end
Next, the IP Pool is applied to a firewall policy:
config firewall policy
edit 1
set name "Test-policy"
set srcintf "Vlan-900"
set dstintf "Vlan901"
set action accept
set srcaddr "all"
set dstaddr "all"
set service "ALL"
set nat enable
set ippool enable
set poolname "Dynamic-Nat-pool"
next
end
In the following debug output, traffic was sent through the FortiGate-3500F from client 172.19.0.20 when ‘hash-config’ was set to the default of ‘src-dst-ip’.
The output indicates that multiple PBAs were allocated across multiple external IPs:
FortiGate-3500F (test-hw1) # dia fire ippool get-pub 172.19.0.20
Query private IP 172.19.0.20
np-0 policy-1 pool-8(PBA) public IP: 10.200.200.2 port: 5117-5244
np-0 policy-1 pool-8(PBA) public IP: 10.200.200.2 port: 5629-5756
np-0 policy-1 pool-8(PBA) public IP: 10.200.200.2 port: 6397-6524
np-1 policy-1 pool-8(PBA) public IP: 10.200.200.1 port: 25213-25340
np-1 policy-1 pool-8(PBA) public IP: 10.200.200.1 port: 25981-26108
np-1 policy-1 pool-8(PBA) public IP: 10.200.200.1 port: 26493-26620
np-2 policy-1 pool-8(PBA) public IP: 10.200.200.2 port: 45437-45564
np-2 policy-1 pool-8(PBA) public IP: 10.200.200.2 port: 46205-46332
np-2 policy-1 pool-8(PBA) public IP: 10.200.200.2 port: 46845-46972
The above example indicates that the first three sessions were allocated to the NP7_0 processor and SNAT IP address of 10.200.200.2.
The next three sessions were then offloaded to NP7_1 with SNAT IP 10.200.200.1, and finally, the last three sessions were offloaded to NP7_2 with SNAT IP 10.200.200.2.
Finally, the following debug output was taken after ‘hash-config’ was set to ‘src-ip’ and the FortiGate was restarted:
FortiGate-3500F (test-hw1) # dia firewall ippool get-pub 172.19.0.20
Query private IP 172.19.0.20
np-1 policy-1 pool-8(PBA) public IP: 10.200.200.1 port: 25213-25340
np-1 policy-1 pool-8(PBA) public IP: 10.200.200.1 port: 25341-25468
np-1 policy-1 pool-8(PBA) public IP: 10.200.200.1 port: 25469-25596
np-1 policy-1 pool-8(PBA) public IP: 10.200.200.1 port: 25597-25724
np-1 policy-1 pool-8(PBA) public IP: 10.200.200.1 port: 25725-25852
FortiGate-3500F (test-hw1) # dia firewall ippool get-pub 172.19.0.19
Query private IP 172.19.0.19
np-2 policy-1 pool-8(PBA) public IP: 10.200.200.1 port: 45437-45564
np-2 policy-1 pool-8(PBA) public IP: 10.200.200.1 port: 45693-45820
np-2 policy-1 pool-8(PBA) public IP: 10.200.200.1 port: 45949-46076
np-2 policy-1 pool-8(PBA) public IP: 10.200.200.1 port: 46205-46332
As per the output, all sessions from 172.19.0.20 are being handled by NP7_1 and the NAT’ed IP address (10.200.200.1), same with all sessions from 172.19.0.19 are being handled by NP7_2 and NAT'ed IP address (10.200.200.1) remains consistent.
|
