Mastering FortiGate IP Pools: A Comprehensive Guide to Overload, One-to-One, and Advanced NAT Configurations
.
Network Address Translation (NAT) remains a cornerstone of modern network security and IP management. For Fortinet administrators, understanding the nuances of IP Pools is essential for designing efficient, secure, and scalable network architectures. FortiOS offers several IP Pool types, each designed for specific use cases, from basic internet sharing to complex carrier-grade deployments.
This comprehensive guide synthesizes information from official Fortinet documentation, community expertise, and technical resources to explain the critical differences between Overload and One-to-One IP Pools, explore advanced configurations like CGN (Carrier-Grade NAT) resource allocation, and provide practical troubleshooting insights.
Understanding IP Pool Fundamentals
An IP Pool in FortiOS defines a collection of IP addresses (single or range) used for Source NAT (SNAT). When traffic matches a firewall policy with NAT enabled and an IP Pool assigned, the FortiGate replaces the original source IP address with an address from the pool. This mechanism hides internal network topology and conserves public IPv4 addresses.
A critical limitation exists: IP pool addresses must belong to the same subnet as the FortiGate's outgoing interface. If you assign addresses from a different subnet, communication will fail unless proper routing and proxy ARP are configured.
FortiOS supports four primary IP Pool types:
- Overload (Dynamic PAT)
- One-to-One (Static NAT)
- Fixed Port Range
- Port Block Allocation (CGN)
Overload IP Pools: Dynamic Port Address Translation
How Overload Works
Overload is the default IP Pool type in FortiOS. It enables multiple internal hosts to share a single public IP address through Port Address Translation (PAT). When internal hosts initiate connections, the FortiGate:
- Translates the private source IP to the public IP from the pool
- Assigns a unique source port to track each session
- Maintains a session table to route return traffic correctly
A Fortinet community expert explains: "Overload is the default setting. Internal addresses other than the one designated in the policy can use this address for the purposes of NAT."
Key Characteristics
| Feature | Description |
|---|---|
| Concurrency | Multiple internal IPs share one external IP |
| Port Usage | Dynamic port allocation (up to ~65,000 sessions per IP) |
| Use Case | General internet access for many users |
| Configuration Complexity | Low |
Practical Applications
Organizations commonly use Overload pools when:
- Employees need general internet access
- Multiple devices share a single public IP
- Outbound traffic volume is moderate
One community member shared their enterprise implementation: "We have 256 public IPs and use a different one for each internal subnet (guest WiFi, student WiFi, staff WiFi). This helps narrow things down if someone gets infected—when we see what public IP they came from, we know immediately which VLAN to investigate."
Configuration Example
config firewall ippool edit "Corporate_Users" set type overload set startip 203.0.113.10 set endip 203.0.113.10 set arp-reply enable next end config firewall policy edit 100 set srcintf "internal" set dstintf "wan1" set srcaddr "LAN_Subnet" set dstaddr "all" set action accept set schedule "always" set service "ALL" set ippool enable set poolname "Corporate_Users" set nat enable next end One-to-One IP Pools: Static Address Mapping
How One-to-One Works
One-to-One IP Pools establish a fixed relationship between internal and external IP addresses. Each internal host using the policy receives a dedicated public IP address. The FortiGate creates a static mapping: the first internal IP in the source address range maps to the first IP in the pool, the second to the second, and so on.
Clarifies: "The FortiGate assigns the lowest source IP in the address object to the lowest IP address of the IP Pool and increments up from there."
Key Characteristics
| Feature | Description |
|---|---|
| Concurrency | One-to-one IP correspondence |
| Port Usage | Full port range available per host (65,535 ports) |
| Use Case | Servers, applications requiring consistent source IP |
| Configuration Complexity | Medium (requires matching address objects) |
Critical Consideration: Pool Exhaustion
A Fortinet Knowledge Base article warns: "With One-to-One configuration, only the first device to attempt to access the Internet will be able to do so. Additional devices will have connections dropped."
When all pool addresses are assigned, the FortiGate logs "IPpool natip has been exhausted" and drops new connection attempts. The firewall policy may show a warning icon in the GUI when exhaustion occurs.
Practical Applications
One-to-One pools are ideal when:
- Hosting servers that need consistent public IPs for security policies
- Applications require dedicated IP addresses (e.g., legacy systems)
- You need to map specific internal users to specific public IPs for compliance
- Running services where the source IP must match DNS records (e.g., email servers)
Notes: "Anti-spam services match the source IP address of mail traffic to the MX record. If there's a mismatch, mail may not get through."
Configuration Example
config firewall address edit "Internal_Servers" set type iprange set start-ip 192.168.10.10 set end-ip 192.168.10.12 next end config firewall ippool edit "Server_Public_IPs" set type one-to-one set startip 203.0.113.20 set endip 203.0.113.22 set arp-reply enable next end config firewall policy edit 101 set srcintf "internal" set dstintf "wan1" set srcaddr "Internal_Servers" set dstaddr "all" set action accept set schedule "always" set service "ALL" set ippool enable set poolname "Server_Public_IPs" set nat enable next end Comparative Analysis: Overload vs. One-to-One
| Aspect | Overload | One-to-One |
|---|---|---|
| Address Ratio | Many-to-One | One-to-One |
| Port Management | Dynamic port sharing | Full port range per IP |
| Session Capacity | ~65,535 per public IP | 65,535 per mapped IP |
| Address Exhaustion | Rare (ports exhaust first) | Common if pool is too small |
| Logging/Tracking | Source IP hidden, port-based tracking | Clear source IP visibility |
| Ideal For | General users, web browsing | Servers, applications, compliance needs |
| Troubleshooting | Harder to trace specific users | Easy IP-based identification |
Advanced Configuration: CGN Resource Allocation
Overload with Single Port Allocation
For service providers and large enterprises, FortiOS offers Carrier-Grade NAT (CGN) capabilities through specialized IP Pool types. The Overload with Single Port Allocation (available in Hyperscale Firewall configurations) represents the most efficient use of public IP resources.
According to Fortinet's Hyperscale Firewall Guide: "An overload single port allocation CGN resource allocation IP pool assigns single ports instead of ranges of ports. This type of CGN IP pool conserves ports by effectively reducing the port block size to 1."
Key Features
- Maximum Efficiency: Ports are allocated individually, not in blocks
- No Per-Client Limits: Clients can use any available port
- Dynamic Reuse: Ports are re-used across different clients as sessions end
- Scalability: Ideal for networks with massive numbers of clients
Configuration Example (CLI)
config firewall ippool edit "CGN_Pool" set type cgn-resource-allocation set startip 203.0.113.100 set endip 203.0.113.200 set cgn-spa enable set cgn-overload enable set cgn-port-start 1024 set cgn-port-end 65535 set utilization-alarm-raise 90 set utilization-alarm-clear 80 set arp-reply enable next end Use Cases
- ISP Networks: Serving thousands of subscribers with limited IPv4 addresses
- Large Enterprises: Massive outbound traffic requirements
- Transition to IPv6: Extending IPv4 lifespan during migration
Troubleshooting IP Pool Issues
Common Problems and Solutions
1. One-to-One Pool Exhaustion
Symptoms:
- New devices cannot access internet
- Logs show "IPpool natip has been exhausted"
- Traffic denied with "NAT Translation noop"
Solutions (per Fortinet KB):
- Change pool type to Overload
- Expand the external IP range
- Restrict policy to fewer devices and create additional policies
2. ARP Issues
Problem: External hosts cannot reach translated addresses because the FortiGate isn't responding to ARP requests.
Solution: Enable ARP reply on the IP pool:
set arp-reply enable set arp-intf "wan1" 3. Session Limits
Problem: Users experience connection failures despite available IP addresses.
Solution: Calculate port capacity. Each public IP supports approximately 65,535 concurrent sessions. Monitor with:
diagnose sys session list diagnose firewall ippool list Best Practices for IP Pool Implementation
Planning Phase
- Audit Requirements: Count internal hosts needing NAT and their traffic patterns
- Public IP Inventory: Document available public addresses
- Match Pool Type to Use Case:
- General users → Overload
- Servers/Applications → One-to-One
- Massive scale → CGN pools
Configuration Guidelines
- Subnet Alignment: Ensure pool addresses match the outgoing interface subnet or configure proper routing
- Address Objects: For One-to-One, create address objects with exactly the same number of IPs as the pool
- Monitoring: Set up utilization alerts for critical pools
- Documentation: Maintain clear records of which internal resources use which pool
Security Considerations
- IP Reputation: Some services (banking, email) may block traffic from overload pools due to abuse potential
- Tracking: Overload pools make forensic analysis harder; consider segmented pools for different user groups
- DDoS Protection: One-to-One pools expose internal hosts more directly; ensure proper security profiles
Real-World Scenarios
Scenario 1: Small Business with Single Public IP
Requirement: 50 employees need internet access Solution: Default interface-based NAT (no pool needed) or single-IP Overload pool Why: Efficient port sharing maximizes limited IP resource
Scenario 2: Web Hosting Company
Requirement: 20 customer servers need dedicated public IPs Solution: One-to-One pool with 20 IPs Why: Servers need consistent IPs for DNS, SSL certificates, and inbound access
Scenario 3: University Campus
Requirement: 10,000 students, staff, and guests need internet access Solution: Multiple Overload pools segmented by user type, possibly CGN for high-density areas Why: Enables traffic segmentation and easier troubleshooting while managing massive scale
Scenario 4: Email Server Behind FortiGate
Requirement: Outbound email must appear from specific IP matching MX record Solution: One-to-One pool dedicated to mail server Why: Ensures email deliverability and anti-spam compliance
Frequently Asked Questions
1. What happens when a One-to-One IP Pool runs out of addresses?
New connection attempts from additional internal hosts will be dropped. The FortiGate logs "IPpool natip has been exhausted," and traffic logs show "NAT Translation noop." You must either expand the pool, change to Overload, or restrict which devices use that policy.
2. Can I use the same IP Pool in multiple firewall policies?
Yes, but exercise caution. If using One-to-One, the same IP cannot be assigned to multiple internal hosts simultaneously. For Overload, sharing across policies is common but monitor for port exhaustion.
3. How many sessions can one public IP handle?
Theoretical maximum is 65,535 sessions per IP (based on port numbers). In practice, factors like memory, CPU, and application behavior may lower this limit. CGN pools can extend this through efficient port management.
4. Why would I choose One-to-One over Overload?
Choose One-to-One when internal servers must maintain consistent source IP addresses for:
- DNS records (MX, A records)
- Application-specific security policies
- Compliance requirements
- Simplified logging and troubleshooting
5. What's the difference between IP Pool and Virtual IP (VIP)?
IP Pools handle Source NAT (outbound traffic)—changing the source IP of outgoing packets. Virtual IPs handle Destination NAT (inbound traffic)—changing the destination IP of incoming packets to reach internal servers.
6. Do I need ARP reply enabled for IP Pools?
Enable ARP reply if the pool uses IPs on the same subnet as the FortiGate interface and you need the FortiGate to respond to ARP requests for those addresses. This is typically necessary for proper routing.
7. Can I mix Overload and One-to-One in the same deployment?
Absolutely. Many organizations use One-to-One for servers and Overload for general user traffic within the same FortiGate.
8. How do I monitor IP Pool utilization?
Use CLI commands:
diagnose firewall ippool list diagnose sys session filter diagnose sys session list Or configure SNMP traps with utilization-alarm-raise and utilization-alarm-clear parameters.
Conclusion
Mastering FortiGate IP Pools is essential for network architects and security professionals. The choice between Overload and One-to-One fundamentally impacts how your network utilizes public IP addresses, handles concurrent connections, and enables troubleshooting.
Overload pools excel in general-purpose internet access, maximizing limited IP resources through port sharing. They're the default choice for most user traffic and require minimal configuration.
One-to-One pools provide predictability and consistency for servers and applications, ensuring that internal hosts maintain fixed public identities. They're indispensable for email servers, legacy applications, and compliance-driven environments.
For organizations facing IPv4 exhaustion at massive scale, FortiOS CGN resource allocation pools offer carrier-grade efficiency, allocating individual ports rather than blocks to serve millions of sessions from limited IP addresses.
By understanding these distinctions and following best practices for planning, configuration, and monitoring, you can design NAT architectures that balance efficiency, security, and scalability—fully leveraging the power of FortiOS.