How FortiOS selects unused NAT ports Firewall Policy
FortiGate Version 4.0 MR1 Administration Guide
412 01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
Figure 222: Example university Internet connection topology with two Internet connections
If the FortiGate configuration includes equal-cost multipath (ECMP) routing, both Internet
connections can be used simultaneously and the maximum number of connections is
N*R*P where N is the number of NAT IP addresses, R is the port range, and P is the
number of protocols. So for the case where there are two NAT IPs, the range is 32768 and
the protocols are TCP and UDP then the maximum number of simultaneous connections
is:
2*32768*2 = 131,072
This solution scales with the number of NAT IPs that can be deployed and so could
feasibly be used by a university or a small ISP.
This is not the approach that FortiOS uses.
Per NAT IP, destination IP, port, and protocol pool
This is the approach that FortiOS uses.
Using a per NAT IP, destination IP, port, and protocol pool is a further refinement that
expands the pool to be a function of the protocol, NAT IP, destination IP and destination
port.
The reason for using these attributes to determine the pool is a consequence of the
session-based design of the FortiOS firewall. When a TCP connection is made through a
FortiGate unit, a session is created and two indexes are created for the session. The
FortiGate unit uses these indexes to guide matching traffic to the session.
One index is for traffic flowing in the same direction as the packet that initiated the creation
of the session:
src-ip: 10.78.33.97
dst-ip: 172.20.120.2
proto: tcp
src-port: 10000
Student Network
10.0.0.0/8
Student A
Student B
Student C
Student Z
Video Sharing
172.20.120.1
Search Engine
172.20.120.2
Social Networking
172.20.120.3
Internet
External IP
address
192.168.1.1
External IP
address
192.168.2.2
To Next Page
Loading...
Need help?
General