Home

FortiGate Fixed Port Range IP Pools: A Comprehensive Technical Guide to Deterministic NAT Architecture

.

In today's carrier-grade and enterprise network environments, predictable Network Address Translation (NAT) behavior is no longer optional—it's a compliance, security, and operational necessity. Fortinet's Fixed Port Range IP pool type delivers deterministic NAT mapping through a reversible mathematical algorithm, enabling organizations to maintain audit trails, enforce security policies based on predictable public IP assignments, and optimize carrier-grade NAT (CGNAT) deployments at scale.

This comprehensive guide synthesizes official Fortinet documentation, community expertise, and field-tested configurations to deliver actionable intelligence for network architects, security engineers, and FortiGate administrators implementing Fixed Port Range NAT strategies.

Understanding Fixed Port Range: Core Concepts and Architecture

What Is Fixed Port Range IP Pool?

Fixed Port Range is a kernel-based CGNAT deterministic NAT method that establishes a mathematically reversible relationship between internal (private) IP addresses and external (public) IP addresses with associated port ranges. Unlike standard overload or one-to-one NAT pools, Fixed Port Range requires administrators to define both source and destination IP ranges, enabling predictable translation behavior essential for:

  • Security policy enforcement requiring known public egress IPs
  • Compliance auditing needing traceable session origins
  • Carrier-grade deployments managing thousands of subscribers with limited public IPv4 space
  • Inter-site communication where firewall rules depend on predictable source addressing

Key Architectural Distinctions

Feature Fixed Port Range Overload NAT One-to-One NAT
Source IP Range Required Yes No No
Deterministic Mapping Reversible algorithm Random assignment Sequential mapping
Port Allocation Control Calculated ranges Dynamic first-available Full port access per IP
Oversubscription Support Intelligent reuse Standard PAT Dedicated IP per host
Forensic Traceability Probabilistic Limited Direct mapping

The Fixed Port Range Algorithm: Mathematical Foundations

IP Address Mapping Logic

The Fixed Port Range algorithm uses integer arithmetic (truncated, not rounded) to calculate deterministic mappings. Understanding the variables is essential for capacity planning and troubleshooting:

Variables: • src_start: Starting IP of internal/source range • src_end: Ending IP of internal/source rangestart: Starting IP of external/NAT range • end: Ending IP of external/NAT range • src_ip: Specific internal IP being translated

Step 1: Calculate the Distribution Factor

factor = (end - start + 1) / (src_end - src_start + 1) // Integer division: 32/10 = 3 (not 3.2)

Step 2: Determine Translated IP Address

nat_ip = start + ((src_ip - src_start) × factor)

Practical Example: With internal range 192.168.1.100-200 and external range 10.1.1.50-80, a session from 192.168.1.160 would map to 10.1.1.65 using this deterministic calculation.

Port Allocation Methodology

Port assignment adds complexity through the modulus function to distribute sessions across available port space while maintaining session uniqueness:

Port Variables:snat_port_begin: Default 5117 (FortiOS 7.4.x) • snat_port_end: Default 65533port_share: Total ports ÷ number of source IPs • first_port_choice: Initial port attempt for session

Port Share Calculation:

port_share = (snat_port_end - snat_port_begin + 1) / (src_end - src_start + 1)

First Port Choice Determination:

first_port_choice = snat_port_begin + [MOD(src_ip - src_start, port_share) × port_share]

Critical Note: The calculated first_port_choice represents the preferred port, not a guaranteed assignment. FortiOS employs first-come-first-served logic with iterative fallback if the preferred port is occupied, introducing controlled unpredictability essential for session scalability.

Configuration Implementation: CLI and GUI Best Practices

FortiOS 7.4.x Fixed Port Range Configuration (CLI)

config firewall ippool     edit "CGNAT_Deterministic_Pool"         set type fixed-port-range         set startip 203.0.113.10          # External IP range start         set endip 203.0.113.20            # External IP range end         set source-startip 10.10.1.1      # Internal IP range start         set source-endip 10.10.1.254      # Internal IP range end         set port-per-user 30208           # Ports allocated per internal IP         set arp-reply enable              # Respond to ARP for pool IPs         set arp-intf "wan1"               # Interface for ARP responses         set comments "Deterministic CGNAT for subscriber subnet"     next end

Policy Integration Example

config firewall policy     edit 10         set name "Outbound_CGNAT_Subscribers"         set srcintf "internal"         set dstintf "wan1"         set srcaddr "subscriber_subnet"         set dstaddr "all"         set action accept         set schedule "always"         set service "ALL"         set ippool enable         set poolname "CGNAT_Deterministic_Pool"         set nat enable     next end

GUI Configuration Workflow

  1. Navigate to Policy & Objects > IP Pools
  2. Click Create New → Select IPv4 Pool
  3. Configure Type: Fixed Port Range
  4. Define External IP Range (startip/endip)
  5. Define Internal IP Range (source-startip/source-endip)
  6. Set port-per-user value (default: 30208)
  7. Enable ARP Reply and specify interface
  8. Apply to firewall policy via NAT section → Use IP Pool

Advanced Features: Oversubscription, Port Reuse, and Session Management

Intelligent Oversubscription Logic

Fixed Port Range supports controlled oversubscription, allowing public IP/port resources to be reused when session tuples (source IP:port, destination IP:port, protocol) remain unique. This differs fundamentally from traditional PAT:

Oversubscription Behavior: ✓ New session permitted if 5-tuple is unique ✓ Port reuse occurs without waiting for pool exhaustion ✓ Session clash detection prevents translation conflicts ✗ No guaranteed port-per-user limits during peak load

Port Selection Hierarchy

FortiOS employs a sophisticated port selection algorithm:

  1. Primary Attempt: Reuse original client source port (if within calculated range)
  2. Fallback Iteration: Sequential search through calculated port block starting from random offset (FortiOS 7.6+)
  3. Clash Resolution: Skip occupied ports; log error if entire block exhausted
  4. Oversubscription Trigger: Accept port reuse if resulting 5-tuple remains unique

Version-Specific Considerations

Feature FortiOS 7.4.x FortiOS 7.6+
Port Range Configuration Fixed: 5117-65533 Configurable via CLI
Port Randomness Sequential iteration Configurable random offset
NAT64 Support Not available Fixed Port Range for NAT64
Diagnostic Commands Basic listing Enhanced statistics & filtering

Operational Diagnostics and Troubleshooting

Essential Diagnostic Commands

# View Fixed Port Range pool mappings diagnose firewall ippool-fixed-range list natip 203.0.113.10  # Sample Output: # ippool name=CGNAT_Pool, ip shared num=2, port num=30208 # internal ip=10.10.1.1, nat ip=203.0.113.10, range=5117~35324 # internal ip=10.10.1.2, nat ip=203.0.113.10, range=35325~65532  # Monitor active sessions with NAT translation diagnose sys session list | grep -f '203.0.113.10'  # Sample Session Entry: # hook=post dir=org act=snat 10.10.1.1:10029->8.8.8.8:443(203.0.113.10:10029)  # Check for port allocation clashes (system logs) diagnose debug application ips -1 diagnose debug enable

Common Troubleshooting Scenarios

Scenario: Sessions failing with "port exhaustion" errors

  • Verify port-per-user aligns with expected concurrent sessions
  • Check for asymmetric routing causing duplicate session attempts
  • Review firewall policy order ensuring Fixed Port Range pool is evaluated
  • Monitor NPU resource utilization on high-throughput deployments

Scenario: Unpredictable public IP assignment despite deterministic algorithm

  • Confirm internal IP ranges don't overlap across multiple Fixed Port Range pools
  • Validate that source-startip/source-endip precisely match policy source addresses
  • Check for Central NAT table conflicts overriding policy-based NAT

Scenario: ARP resolution failures for pool IP addresses

  • Ensure arp-reply enable is configured
  • Verify arp-intf matches the egress interface
  • Confirm no conflicting ARP entries on adjacent network devices

Carrier-Grade Deployment Patterns and Reference Architectures

High-Availability Considerations

Fixed Port Range deployments in HA clusters require synchronized configuration and careful session synchronization planning:

FGCP Active-Passive CGNAT: ✓ Configuration syncs automatically between cluster members ✓ Session pickup preserves active translations during failover ✓ ARP replies handled by primary unit only  FGSP (Session Life Support Protocol): ✓ Enables active-active CGNAT with distributed session state ✓ Requires explicit session synchronization link configuration ✓ Critical for zero-downtime carrier deployments

Scaling Strategies for Large Subscriber Bases

Capacity Planning Formula: Available Sessions = (External IPs × Available Ports) ÷ port-per-user  Example Calculation: • External Pool: 203.0.113.10-20 (11 IPs) • Available Ports: 60,417 (5117-65533) • port-per-user: 30,208 • Theoretical Capacity: (11 × 60,417) ÷ 30,20822 concurrent users per external IP • With oversubscription: 3-5× practical multiplier achievable

Logging and Compliance Integration

Enable detailed CGNAT logging for regulatory compliance:

config log fortianalyzer setting     set status enable     set cgnat-logging enable end  config firewall ippool     edit "CGNAT_Pool"         set log-traffic enable         set log-traffic-start enable  # Log session initiation     next end

Export logs to SIEM/SOAR platforms using:

  • NetFlow/IPFIX for traffic analytics
  • FortiAnalyzer for centralized audit trails
  • RSSO enrichment for user attribution in logs

Frequently Asked Questions (FAQ)

Q: When should I choose Fixed Port Range over Overload or One-to-One NAT?

A: Select Fixed Port Range when you require: (1) predictable public IP mapping for security policies, (2) deterministic session tracing for compliance audits, (3) carrier-grade scalability with controlled oversubscription, or (4) inter-site firewall rules dependent on known egress addresses. Use Overload for simple PAT scenarios and One-to-One for dedicated public IP assignments.

Q: Can I guarantee a specific internal IP always maps to the same public IP?

A: Yes—the algorithm is deterministic. Given identical pool configurations and IP ranges, 192.168.1.100 will consistently map to the same calculated public IP. However, the port assigned may vary due to first-come-first-served allocation and oversubscription logic.

Q: Why doesn't my port-per-user setting strictly limit concurrent sessions?

A: Fixed Port Range supports intelligent oversubscription. When session tuples (5-tuple) remain unique, FortiOS permits port reuse beyond the configured port-per-user value. This maximizes resource utilization while preventing actual session conflicts. Strict enforcement requires complementary session-limiting policies.

Q: How do I troubleshoot "port clash" errors in logs?

A: Port clashes occur when all ports in a calculated block are occupied with conflicting 5-tuples. Mitigation strategies: (1) Increase external IP pool size, (2) Adjust port-per-user to better match usage patterns, (3) Implement session timeouts to accelerate port recycling, (4) Review application behavior for excessive ephemeral port consumption.

Q: Is Fixed Port Range compatible with IPv6 and NAT64?

A: As of FortiOS 7.6, Fixed Port Range supports NAT64 deployments with configurable port ranges. IPv6-only pools (ippool6) follow similar deterministic principles but use IPv6 addressing syntax. Verify version compatibility in release notes before deployment.

Q: Can I use Fixed Port Range with Central NAT (CNAT)?

A: Yes, but configuration precedence matters. Central NAT rules evaluate before policy-based NAT. Ensure Fixed Port Range pool references are correctly ordered in the CNAT table, and validate that source/destination address objects align with pool definitions.

Q: What diagnostic commands help verify Fixed Port Range operation?

A: Primary commands include: diagnose firewall ippool-fixed-range list, diagnose sys session filter, diagnose firewall iprope list, and diagnose debug flow. Combine with packet captures (diagnose sniffer packet) for end-to-end translation validation.

Conclusion: Strategic Implementation Recommendations

Fixed Port Range IP pools represent Fortinet's sophisticated approach to deterministic, scalable NAT for modern network architectures. Success requires:

  1. Precise capacity planning using the mathematical mapping formulas
  2. Version-aware configuration accounting for FortiOS 7.4 vs 7.6 feature differences
  3. Proactive monitoring of port utilization and session clash metrics
  4. Integration with logging infrastructure for compliance and forensic readiness
  5. HA/cluster validation to ensure seamless failover behavior

By mastering the algorithmic foundations and operational nuances detailed in this guide, network teams can deploy Fixed Port Range NAT with confidence—transforming IPv4 conservation challenges into predictable, auditable, and scalable network services.

Pro Tip: Always test Fixed Port Range configurations in a staging environment with representative traffic patterns before production deployment. Document your IP range calculations and port allocation assumptions to streamline future troubleshooting and capacity expansions.