Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
robdog
New Contributor II

Is it possible to mitigate aggressive reuse of source NAT ports

Hi, I'm new to the forums so I bid you all a good hello first and foremost.

 

I'm currently seeing an issue due to the aggressive nature in which our 100D ha cluster is reusing source nat ports for address translation. 

 

This is causing an issue with one of our web services, where by the source port is reused too quickly and causes the session data to be dropped. I believe the issue is caused by the server we are connecting to having TIME_WAIT configured for a 2 minute interval and our fortinet reusing the source port after a few seconds.

 

Would creating a policy to increase the time to live session timer help in this instance ? I'm just concerned by increasing the amount of time sessions are able to sit within the firewall's memory this will potentially have a negative effect on the performance even if it does rectify our issue.

 

We had a Cisco ASA HA setup previously which we never encountered this issue, it seems its related to the way fortios applies port address translation

 

Any suggestions would be appreciated.

 

1 Solution
emnoc
Esteemed Contributor III

I would do it different

 

1: set a ippool(s)  vrs the egress SNAT

 

2: use the ippool in that  fwpolic

 

optional

 

3: set ipool with port-allocation  types ( RTFM for vfortiOS tu understand the port block type, take  aloook at the link below for examples  )

 

e.g

config firewall ippool     edit "SNATPOOLA"         set type port-block-allocation         set startip 1.1.1.1         set endip 1.1.1.1         set block-size 224         set num-blocks-per-user 128     next end

 

http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-firewall-52/Firewall%20Objects/IP%20P...

 

 

Now with any of the above you can set  pools  per firewall for heavy used fwpolicies and monitor the usage

 

 

 

 

Ken

Ken

 

 

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
2 REPLIES 2
robdog
New Contributor II

I'm not sure this will work but I will test and update this thread if it does as this issue is a pain in the a$$. So if I can help anyone else with a similar problem then great :)

 

configured two custom services for http and https with an increased time_wait timer. The value set is on the basis that the http(s) server at the remote end will be using the default time_wait value of 2 minutes. So by this logic the time_wait delta *SHOULD* be 4 minutes or 240 seconds.

 

Config;

config firewall service custom edit "cstmsvc.pat.http.80" set category "Web Access" set comment "Custom service for TCP port reuse" set tcp-portrange 80 set tcp-timewait-timer 240 next

edit "cstm.svc.pat.https.443" set category "Web Access" set comment "Custom service for TCP port reuse" set tcp-portrange 443 set tcp-timewait-timer 240 next end

 

Cheers 

emnoc
Esteemed Contributor III

I would do it different

 

1: set a ippool(s)  vrs the egress SNAT

 

2: use the ippool in that  fwpolic

 

optional

 

3: set ipool with port-allocation  types ( RTFM for vfortiOS tu understand the port block type, take  aloook at the link below for examples  )

 

e.g

config firewall ippool     edit "SNATPOOLA"         set type port-block-allocation         set startip 1.1.1.1         set endip 1.1.1.1         set block-size 224         set num-blocks-per-user 128     next end

 

http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-firewall-52/Firewall%20Objects/IP%20P...

 

 

Now with any of the above you can set  pools  per firewall for heavy used fwpolicies and monitor the usage

 

 

 

 

Ken

Ken

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors