Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Umesh
New Contributor II

NAT overload

Hi all,

let me know one single public IP how many internal IP can handle.

3 REPLIES 3
akristof
Staff
Staff

Hello,

In theory, 1 public IP can be used to for 65535 connections. Because it is limited with number of ports.

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/29961/dynamic-snat

Adrian
Cajuntank
New Contributor

Just to add to this, you will get to the point where you will get a "NAT port exhaustion" message on the firewall due to the amount of connections if you exceed that amount. You will then have to create a NAT pool of IPs and change your policies accordingly to that new NAT pool.

Yurisk
Valued Contributor

If, by any chance, you come from the Palo Alto background, where there exists Dynamic Ports Hide NAT oversubscription, then there is no such tricks employed in Fortigate world. 

I was sure oversubscription is not used in Fortigates, but seems it actually is  - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Explanation-of-the-session-clash-message/t... 

 

"This is because the tuple (NAT_srcip, NAT_srcport, destip, destport) is different, the destip changes, so the srcport randomly chosen can be the same, it will not generate a session clash message.

The fact that a tuple difference allows to reuse the same NAT src port, permits the firewall to have more than 65K sessions with only one public IP used for SNAT."

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.


All opinions are mine only.