Firewall Policy How FortiOS selects unused NAT ports
FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20090903 411
http://docs.fortinet.com/ • Feedback
dst-ip: 172.20.120.2
src-port: 46372
dst-port: 80
Where 192.168.1.1 is the external IP address of the FortiGate unit and 46372 is an
unused port chosen by the FortiGate unit.
The following sections describe three solutions to choosing the unused port. These
solutions provide some context for the last section which describes how FortiOS chooses
an unused port.
Global pool
In this approach there is a single pool of ports which are available for assignment. When a
port is assigned it is removed from the pool. Because the port is removed from the pool, it
is not possible to assign the same port twice. Once a port is no longer needed for NAT it is
returned to the pool so that it can be assigned again.
For example if the range is from 0x7000 (28672) to 0xF000 (61440) then there 2
15
(32768) possible ports that can be simultaneously used (the reason for choosing this
range is described below). The maximum number of simultaneous connections is 32768.
This maximum is independent of transport protocol.
This approach was one of the first approaches used to choosing a NAT port because it is
simple to implement. It is viable if the number of connections is unlikely to reach the pool
size, for example in the case of a NAT firewall for home use. However, it is not really a
viable solution for a large university or ISP that would usually be processing thousands of
simultaneous sessions.
This is not the approach that FortiOS uses.
Global per-protocol pool
Using a global per-protocol pool extends the global pool approach by having a separate
pool for TCP and UDP. The chosen pool is a function of the protocol used. With the same
range of 32768 ports there are 32768 for ports UDP and 32768 ports for TCP, resulting in
a total of 65536 ports. The result is twice as many available ports, but this still would not
be enough for a university or ISP.
This is not the approach that FortiOS uses.
Per NAT IP pool
Using a per NAT IP pool extends the approach further so that rather than just a per-
protocol pool, the pool is also determined by the NAT IP. Thus, the pool is a function of the
protocol and the NAT IP. In the topology shown in Figure 221 on page 410 the NAT IP is
192.168.1.1. If there is only one NAT IP then this approach is no different from global per-
protocol pools. However, consider the topology shown in Figure 222 with two separate
Internet connections and thus two NAT IP addresses 192.168.1.1 and 192.168.2.2.
To Next Page
Loading...
Need help?
General