gents, can someone explain why frotigate receive a lot of critical errors NAT port is exhausted, how to resolve?
yesterday i have activated support contract and since that time i receiving this critical error.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
What is the exact error message? What type of NAT is being used here? Inbound or outbound? Both?
Hello @Umirzak ,
It's related to your snat (IP Pool) object. If you use SNAT on your firewall policy this pool can be exhausted related to your snat configuration. You know every IP address has 65535 ports. If all ports are used, Fortigate warns you.
This problem happens to a lot of different causes. Misconfiguration, long session time, etc..
You can check which has exhausted your IP pool object in the Firewall&Policy -> IP Pool menu.
If you share the configuration with us we can advise to you.
i've checked Firewall&Policy -> IP Pool menu there are no any configuration.
Created on 04-24-2024 06:53 AM Edited on 04-24-2024 06:56 AM
Hello @Umirzak ,
Okay, If you can't use the IP pool. You need to check the firewall policy list. There could be a policy configured with "NAT" enabled and "Use Outgoing interface Address" Enabled. Can you check your firewall policy list? Do you have any exclamation marks on there?
In my opinion, you use snat for internet access. There could be too many connections processed by this rule. Because of that ports could be exhausted.
You can clear your session table or if you can, reboot your unit.
okay, i have 4 policy with NAT enabled
LAN>WAN
DMZ>WAN
Remote Connection > LAN
LAN>MGMT LAN
what policy i need to edit?
Hello @Umirzak ,
Edit does not solve your problem.
You need to kill the session. If you have an exclamation mark on these policies.
You can filter these sessions by policy id and you can kill all sessions.
diagnose sys session filter policy <Policy_ID>
diagnose sys session clear
These commands clear all sessions about that policy. You should be careful with that.
@ozkanaltas i did it, it's temp solution? because fortigate receives NAT port is exhausted error after several time.
Hello @Umirzak ,
There could be a lot of causes for this. You need to find the root cause.
-There could be a lot of clients for this connection.
-Your session time there could be too long.
If you can, you add one more IP address for snat with the IP pool object.You can review this document .
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1634 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.