Technical Tip: Handling fractional allocation of PBA resources in FortiGate

rito · ‎09-18-2025

Description This article describes how FortiGate allocates PBA (Port Block Allocation) resources and how fractional values are handled during the calculation.

Scope FortiGate.

Solution

The number of PBAs per public IP is calculated using the following formula:

<num-pba-per-ip> = (<end-port> - <start-port> + 1) / <block-sz>

If the calculation results in a remainder, it will be truncated and not used.

The following command displays IP pool usage and resource details:

diagnose firewall ippool list

Calculation examples:

The following calculations show that even if the end-port value differs, the number of PBAs per IP remains the same because the difference does not affect the integer division result.

Case 1: The calculation leaves 387 unused ports because they cannot form a complete block.

num-pba-per-ip = (65535 - 5117 + 1) / 448 = 134 remainder 387

ippool ippool-1: id=7, block-sz=448
        ip-range=192.168.0.1-192.168.255.254
        num-pba-per-ip=134
        grp=N/A, start-port=5117, end-port=65535
        npu-clients=0, npu-inuse-NAT-IPs=0, total-NAT-IP=65534
        npu-total-PBAs=8781556, npu-inuse-PBAs=0/0, npu-free-PBAs=100.00%/100.00%
        npu-tcp-sess-count=0, npu-udp-sess-count=0

Case 2: The calculation divides evenly, so no ports are left unused.

num-pba-per-ip = (65148 - 5117 + 1) / 448 = 134 remainder 0

ippool ippool-1: id=7, block-sz=448
        ip-range=192.168.0.1-192.168.255.254
        num-pba-per-ip=134
        grp=N/A, start-port=5117, end-port=65148
        npu-clients=0, npu-inuse-NAT-IPs=0, total-NAT-IP=65534
        npu-total-PBAs=8781556, npu-inuse-PBAs=0/0, npu-free-PBAs=100.00%/100.00%
        npu-tcp-sess-count=0, npu-udp-sess-count=0

Related article:

FortiGate 7.6.4 hyperscale Firewall Guide Port block allocation CGN IP pool

Technical Tip: Handling fractional allocation of PBA resources in FortiGate

You are leaving our website