- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiSASE Sovereign
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiSASE Sovereign
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Tip: Mixed NAT pools for single IP polic...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Anonymous
Not applicable
Created on 10-19-2020 11:48 PM
Article Id
192079
Description
This article describes the behaviour of the FortiGate when multiple IP pool with different options (one-to-one and overload) are associated.
Solution
First IP pool will be used first until fully utilized before it uses the second one.
For one-to-one, each internal IP address is mapped to an external IP address. It is first-come-first-serve basis.
For overload, each source port number represents a tcp/udp/sctp connection. It will be used until all source ports are fully utilized.
Number of Available connections (source ports) for Overload depends on 4 elements:
- IP protocol : Different IP protocol(TCP, UDP or SCTP) provides possibility to use same "source port"(SNAT port).
- Number of IP addresses for SNAT (SNAT IP):
- Destination port. Different Destination Port provides possibility to use same 'source port'(SNAT port).
First pool in IP-pool list of fw policy must be used first until exhausted before using second pool in IP-pool list of fw policy
Example.
1st Example in SNAT in overload:
- In this example, both packets from local lan are using same layer-4 protocol, SNAT IP but different Destination IP address, different Destination port.
This provides the possibility of using same 'source port'(SNAT port).
- After SNAT translation, both packets are using same 'source port'(SNAT port).
2nd Example in SNAT in overload:
- In this example, both packets are using same layer-4 protocol, SNAT IP, Destination IP address and same Destination port.
- Therefore, this case does not provide any possibility to use same 'source port'(SNAT port)
- After SNAT translation, both packets are using different 'source port'(SNAT port)
This article describes the behaviour of the FortiGate when multiple IP pool with different options (one-to-one and overload) are associated.
Solution
First IP pool will be used first until fully utilized before it uses the second one.
For one-to-one, each internal IP address is mapped to an external IP address. It is first-come-first-serve basis.
For overload, each source port number represents a tcp/udp/sctp connection. It will be used until all source ports are fully utilized.
Number of Available connections (source ports) for Overload depends on 4 elements:
- IP protocol : Different IP protocol(TCP, UDP or SCTP) provides possibility to use same "source port"(SNAT port).
- Number of IP addresses for SNAT (SNAT IP):
- Each IP address provides 60,416 source ports [5117;65533]. N x 60,416 source ports.
- Different SNAT IP provides possibility to use same 'source port'(SNAT port)
- Destination port. Different Destination Port provides possibility to use same 'source port'(SNAT port).
First pool in IP-pool list of fw policy must be used first until exhausted before using second pool in IP-pool list of fw policy
Example.
# config firewall policyIn this example, ip-pool 'overload' will be used until exhausted before using ip-pool 'one-to-one'.
edit 71
set srcintf "port1"
set dstintf "port2"
set nat enable
set ippool enable
set poolname "overload" "one-to-one"
next
end
1st Example in SNAT in overload:
- In this example, both packets from local lan are using same layer-4 protocol, SNAT IP but different Destination IP address, different Destination port.
This provides the possibility of using same 'source port'(SNAT port).
- After SNAT translation, both packets are using same 'source port'(SNAT port).
2nd Example in SNAT in overload:
- In this example, both packets are using same layer-4 protocol, SNAT IP, Destination IP address and same Destination port.
- Therefore, this case does not provide any possibility to use same 'source port'(SNAT port)
- After SNAT translation, both packets are using different 'source port'(SNAT port)
Labels:
Contributors
-
Anonymous
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.