| Description | This article explains the working of PBA NAT in FortiGate and its impact on dynamic IP consistency. |
| Scope | FortiGate, Kernel NAT. |
| Solution |
Port Block Allocation (PBA) is a Network Address Translation(NAT) type. In FortiGate, PBA is used to configure a Source NAT IP Pool.
The block size defines the number of ports in each allocation, while the blocks per user determine the maximum number of ports that can be assigned to a single IP address.
The minimum allowed block size is 64, and it can go up to 4096.
PBA calculations: Total number of available ports per user 128*8 = 1024
Total number of internal user supported per external IP = Total ports that can be allocated per external IP ( 60418 )/ Total available ports per user(1024)= 59
With the above settings, each external IP can support 59 internal IPs, with each internal IP receiving 8 blocks of 128 ports each.
When a client sends the first packet, the NAT external IP is allocated based on availability. The FortiOS kernel NAT processes PBA IP POOL range sequentially and selects the first available IP from the external range. That means if 192.168.200.2 has sufficient ports available to allocate a block, then it will be used as an external IP; otherwise, a block will be allocated from the next available external IP address.
Example: In a production environment, multiple internal IPs receive port blocks from the first available external IP. With a block size of 128, a single external IP can handle up to 472 block allocations. Since multiple internal IPs are requesting allocations, if an internal IP cannot receive its full allocation from a single external IP because it has already assigned all 472 blocks, the remaining allocation is obtained from the next available external IP.
Note:
Example:
diagnose firewall ippool list pba
user 192.168.203.11: 192.168.200.2 25597-29692, idx=5, use=9056
diag firewall ippool list
If the client(internal IP) utilizes all ports from all the blocks allocated to it, then PBA port block exhaustion will happen for that client, and a message will be logged into the system event logs with an alert for the PBA Exhaustion. To avoid this situation, it is required to optimize the PBA allocation.
The IP session can also be cleared to fix the pool exhaustion issue:
diagnose system session filter src x.x.x.x <----- IP Pool. diagnose system session clear
Note: Certain applications may require dynamic IP consistency, i.e. traffic from an Internal IP should always leave with the same external NAT IP. However, if the port block allocation is too strict, it will break the consistency, and the internal IP may get NATed with a different external IP from the PBA range. For FortiOS hyperscale, this feature may work differently due to NP7 hardware capabilities. Refer to this link for the Hyperscale versions Dynamic IP consistency
Note: Before v7.6.1, PBA port allocation always started from 5117, and it was sequential. Starting from v7.6.1, it is possible to randomize the port allocation. This makes it less predictable.
The config firewall central-snat-map command includes a new option:
config firewall central-snat-map edit 1 set port-preserve disable set port-random {enable | disable} next end
The config firewall policy command includes a new option:
config firewall policy edit 1 set port-preserve disable set port-random {enable | disable} next end
For more details, refer to this document: Support for randomized port selection in IP pool mechanisms
FortiOS Hyperscale has some additional features. Refer to this link for CGNAT in Hyperscale firewalls: Hyperscale and standard FortiOS CGNAT feature comparison
Related documents: Technical Tip: How to configure SNAT with IP pool |
