Description
This article describes How NAT ports are allocated in FortiGate-6000F, FortiGate-7000E, FortiGate-7000F.
Scope
All versions.
Change in version 6.4.8
Introduced a new CLI to dynamically re-allocate SNAT source ports among the remaining enabled FPCs or FPMs and is enabled by default:
config load-balance setting
set nat-source-port {chassis-slots | enabled-slots}
end
Before version 6.4.8 and below, this NAT port allocation was fixed based on Chassis model and couldn't change even if the FPC/FPM was not in use.
Solution
Total no of NAT ports allocated in 6k/7k are same as in FortiOS.
The only difference here is that this range is divided equally across the worker blades.
This creates certain unexpected behavior on chassis series if it’s not configured appropriately.
Scenario 1.
When traffic comes with a fixed source port less than 1024 with fixed dport and dst_ip, there is a restriction apply per device.
In FortiOS, when original-source-port < 1024, the translated source-port will be in the range of [512,1024).
That’s the reason for this restriction.
In chassis, this range gets divided across worker blades and if the traffic is notload balanced across workers evenly, then, we will hit the NAT port is exhausted earlier than expected.
For example, when traffic comes with sport 500, dport 500 and destination IP is 208.54.85.64 the total no of sessions per device is limited to 512 sessions and this range is divided by no of worker blades in the chassis.
Here in this example, with one IP in the NAT pool with overload enabled, we get to see 'NAT port is exhausted' messages as shown below, as soon as 85 such sessions hits on any given worker blade in a FortiGate-6300F chassis.
Work around here is to allow more no of IP addresses in the NAT pool.
After allowing 5 IPs, 426 sessions are allowed per worker blade before receiving NAT port is exhausted message .
After allowing 5 IPs, 426 sessions are allowed per worker blade before receiving NAT port is exhausted message .
The behavior is different when the sport is =>1024, This 512 session limit per unit does not apply here.
Shown below are the test results with a traffic generator.
In this example, sport is 1024, dport 80, dst_ip 12.0.0.1 are fixed and only src ip is changing.
In this example, sport is 1024, dport 80, dst_ip 12.0.0.1 are fixed and only src ip is changing.
Scenario 2.
When NAT allocation with PB block is assigned, this config will be applied to each blade individually.
When NAT allocation with PB block is assigned, this config will be applied to each blade individually.
Since each FPM can see the same client IP, it can allocate more resource than configured as a different range of ports are allocated in each blades as shown below on a FortiGate-6300F.
For example, with below IP pool settings on a FortiGate-6300F, one client can have (block-size 512/num-blocks-per-user 4) 2048 ports on each worker blade.
That is (6x2048) 12,288 ports on FortiGate-6300F with 6 worker blades; meaning 12,288 sessionson the unit per client IP.
That is (6x2048) 12,288 ports on FortiGate-6300F with 6 worker blades; meaning 12,288 sessionson the unit per client IP.
Work around here is to reduce no of ports per blade by adjusting 'num-blocks-per-user' and 'num-blocks-per-user'.
Here is an example with src ip 11.0.0.1 and dstip 12.0.0.1 and dport 80.
In FortiGate-6300F, each blades can handle 2048 sessions.
In FortiGate-6300F, each blades can handle 2048 sessions.
'Pba ippool port-block has been exhausted' message is visible only if any of the worker blade hit >2048 sessions per client IP.
6300F-CH2 (global) # end
Following output shows the port range allocations per blade for this single IP.
Related article:
