What is the behavior of a FG when NAT session table is full ?

eduplaa · ‎07-22-2016

Hello,

I searched through documentation without finding any key information about this question.

So imagine a Fortigate appliance natting flows to a specific IP with a unique source IP.

Imagine now that the appliance reaches its source port or maybe session table limit.

What will do the appliance with next TCP syn ?

Will it :

- drop the packets ?

- forward it without NATting source ?

- reuse an already used dynamic source port ?

- or any idea ?

If you got any information about this, please let me know asap.

Best regards,

emnoc · ‎07-22-2016

1st

i never heard of a nat-table session limits

2nd

the firewalls are "session" limit ( based on model/cpu/mem ), normal behavior is for the traffic to stop when we hit the limits

You need to properly size the firewall for the max sustain sessions and the number of sessions open per secs ( new ). Keep in mind the 1st few packets in a session are not off-loaded and actually uses "bytes" of data.

PCNSE

NSE

StrongSwan

eduplaa · ‎07-25-2016

Hello,

Thank you emnoc for your answer.

I agree with you about the standard behavior of a firewall if its session table is full, but it was not my question.

I still believe a NAT Table has always a limit, imposed by manufacturer (ie fortinet Central NAT Table entries) or by user configured parameters.

Let me explain what I mean for user specified parameters. When a TCP SYN reaches a sNAT equipment, the equipment will translate the source IP, and regularly the source port, right ?

Now imagine you use a single IP for sNAT, and that you have specified a source-port range including 64000 ports. If you got more than 64000 clients simultaneously connected, how could the NAT equipment do the job without any source-port available ? So the NAT table, or NAT pool, is exhausted. Do you agree ?

Maybe I should call it a session table, but this is not the firewall one, this is the NAT one.

Maybe someone could confirm (or not) the behavior of a NAT table full Fortigate ?

emnoc · ‎07-25-2016

yes that's correct, a single ipv4 address will have ephemeral range of 1024-64k address, but that's not a nat-table issues that a ephemeral port issue.

In the above example, that will be a "clash" condition and the diag sys session will show outcomes when you have a clash and yes with no ephemeral port available, that session will not make it out the firewall.

e.g

kenfwd $ diag sys session stat | grep lash misc info: session_count=96939 setup_rate=959 exp_count=1369 clash=923665 <----look here

So if you need more ephemeral ports, you need a big SNAT pool. AFAIK, no matrix or max value are listed for just"nat or xlate" tables & per-hardware device.

PCNSE

NSE

StrongSwan

MikePruett · ‎07-25-2016

EMNOC is right. The device falls on it's face and clashes.

Mike Pruett

Fortinet GURU | Fortinet Training Videos

emnoc · ‎07-25-2016

Don't know about falling on it face but if you have ephemeral port exhaustion due to SNAT, then a session will not kick off. The same for any firewall ( non-fortigate ) btw.

It isn't like the firewall will let packet sneak on by ;)

What a lot of bg enterprises, schools, etc ... do is to split the network up into chunks. I like the /22 model ( one public address per /22 ) or they even double SNAT when they are limited to a few public address.

PCNSE

NSE

StrongSwan

MupEHcEH · ‎10-15-2018

Hi emnoc,

I am looking at same issue, great answer!

However I want to ask... since in our case we have pool of multiple public IPs used in different rules + the destination interface IP used in some as well..

Is there a way to check which IP or which on rule (or both) the exhaustion happens.

Forgot to mention we have high amount of those.

Thanks!