Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
leej
Staff
Staff

Created on ‎11-25-2024 03:17 AM Edited on ‎09-05-2025 06:16 AM By Moderator

Article Id 359758

Technical Tip: How often to log 'NAT port is exhausted.' while NAT port is being constantly used

Description This article describes how often to log 'NAT port is exhausted.' while the NAT port is being constantly used.
Scope FortiGate.
Solution

When FortiGates are already exhausted, all NAT ports with new sessions coming, creating sessions can be denied by FortiGates that increment 'clash' and write logs.

 

Writing every single log of 'NAT port is exhausted.' could be an extreme burden for FortiGates. So FortiGates write 10 lines every 7 to 8 seconds.

 

In this example, a FortiGate has only one SNAT IP, which can create 60,418 sessions.

  1. Only 60,418 sessions are created. New sessions are denied due to the exhaustion of the NAT port. The value of 'clash' is on the rise.

1.jpg

 

  1. Logs are written 10 lines every 7 to 8 seconds.

     

    2.jpg

     

  2. The log sample below shows only one line at a time for convenience.

 

3.jpg
Labels:
739
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.