Hi, I'm new to the forums so I bid you all a good hello first and foremost.
I'm currently seeing an issue due to the aggressive nature in which our 100D ha cluster is reusing source nat ports for address translation.
This is causing an issue with one of our web services, where by the source port is reused too quickly and causes the session data to be dropped. I believe the issue is caused by the server we are connecting to having TIME_WAIT configured for a 2 minute interval and our fortinet reusing the source port after a few seconds.
Would creating a policy to increase the time to live session timer help in this instance ? I'm just concerned by increasing the amount of time sessions are able to sit within the firewall's memory this will potentially have a negative effect on the performance even if it does rectify our issue.
We had a Cisco ASA HA setup previously which we never encountered this issue, it seems its related to the way fortios applies port address translation
Any suggestions would be appreciated.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I would do it different
1: set a ippool(s) vrs the egress SNAT
2: use the ippool in that fwpolic
optional
3: set ipool with port-allocation types ( RTFM for vfortiOS tu understand the port block type, take aloook at the link below for examples )
e.g
config firewall ippool edit "SNATPOOLA" set type port-block-allocation set startip 1.1.1.1 set endip 1.1.1.1 set block-size 224 set num-blocks-per-user 128 next end
Now with any of the above you can set pools per firewall for heavy used fwpolicies and monitor the usage
Ken
Ken
PCNSE
NSE
StrongSwan
I'm not sure this will work but I will test and update this thread if it does as this issue is a pain in the a$$. So if I can help anyone else with a similar problem then great :)
configured two custom services for http and https with an increased time_wait timer. The value set is on the basis that the http(s) server at the remote end will be using the default time_wait value of 2 minutes. So by this logic the time_wait delta *SHOULD* be 4 minutes or 240 seconds.
Config;
config firewall service custom edit "cstmsvc.pat.http.80" set category "Web Access" set comment "Custom service for TCP port reuse" set tcp-portrange 80 set tcp-timewait-timer 240 next
edit "cstm.svc.pat.https.443" set category "Web Access" set comment "Custom service for TCP port reuse" set tcp-portrange 443 set tcp-timewait-timer 240 next end
Cheers
I would do it different
1: set a ippool(s) vrs the egress SNAT
2: use the ippool in that fwpolic
optional
3: set ipool with port-allocation types ( RTFM for vfortiOS tu understand the port block type, take aloook at the link below for examples )
e.g
config firewall ippool edit "SNATPOOLA" set type port-block-allocation set startip 1.1.1.1 set endip 1.1.1.1 set block-size 224 set num-blocks-per-user 128 next end
Now with any of the above you can set pools per firewall for heavy used fwpolicies and monitor the usage
Ken
Ken
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.