Home

Understanding Fortinet's Fixed Port Range IP Pools: A Comprehensive Technical Guide

.

In the evolving landscape of network address translation (NAT), Fortinet's Fixed Port Range IP Pool feature stands out as a sophisticated solution for organizations requiring predictable and manageable NAT operations. This carrier-grade NAT (CGNAT) deterministic approach provides network administrators with precise control over how private IP addresses map to public IP addresses and port ranges.

What Is Fixed Port Range NAT?

Fixed Port Range is a specialized IP pool type in FortiOS that implements deterministic NAT using a reversible algorithm to map private IP addresses to public IP addresses and specific port blocks. Unlike traditional overload NAT that dynamically assigns ports, this method creates a predictable relationship between internal hosts and their external NATed addresses and port ranges.

According to Fortinet's official documentation, Fixed Port Range requires the definition of both the client IP range and public IP range, establishing a structured mapping that can be calculated and, to some extent, predicted.

Key Technical Specifications

Port Range Defaults and Version Differences

Understanding the technical parameters is crucial for proper implementation:

FortiOS Version Start Port End Port Configuration Flexibility
7.4.x 5117 65533 Fixed, cannot be modified
7.6.x Configurable Configurable Supports custom configuration, includes NAT64 support

The documentation clearly states that in FortiOS 7.4.x, "the Fixed port range is 5117 and end port is 65533 and these values cannot be changed." However, FortiOS 7.6.x introduces greater flexibility by supporting configurable fixed port ranges and extending functionality to NAT64 environments.

Configuration Example

A typical Fixed Port Range configuration in the CLI appears as follows:

config firewall ippool     edit "Deterministic"         set type fixed-port-range         set startip 20.20.1.0         set endip 20.20.1.127         set source-startip 192.168.1.1         set source-endip 192.168.1.254         set port-per-user 30208         set arp-reply enable         set arp-intf ''         set comments ''     end

This configuration defines an external IP range of 20.20.1.0 through 20.20.1.127 and an internal source range of 192.168.1.1 through 192.168.1.254, with each user allocated 30,208 ports.

The Mathematics Behind Fixed Port Range

Calculating the NAT IP Address

The algorithm for determining which public IP address maps to a given private IP involves two key equations. As detailed in Fortinet's Cookbook documentation, the process begins with calculating a "factor":

First Equation – Determining the Factor:

factor = ((src_end - src_start + 1) + (end - start)) / (end - start + 1)

Second Equation – Determining the NAT IP:

nat_ip = start + ((src_ip - src_start) / factor)

Where integer division is used (values are truncated, not rounded).

Port Allocation Algorithm

The port selection process adds another layer of sophistication. The system divides the total available port range into equal "shares" for distribution among sessions:

Port Share Calculation:

port_share = (snat_port_end - snat_port_begin + 1) / factor

First Port Choice Calculation:

first_port_choice = snat_port_begin + (port_share * ((src_ip - src_start) MOD factor))

This modulus-based approach distributes ports more like "dealing cards from a deck" rather than allocating them in a continuous sequence, creating a balanced distribution across sessions.

Oversubscription and Port Reuse

One of the most powerful features of Fixed Port Range is its support for oversubscription. Fortinet's architecture guide explains that "the public IP address and NAT port can be reused by FortiOS so far the new session (initiated by the client) does not create clash."

This behavior differs from other vendors in several important ways:

  1. Proactive port reuse: FortiOS doesn't wait until all ports are used before determining which ports to overload
  2. Tuple-based decisions: Port reuse is permitted as long as the new connections don't create clashing tuples (source IP, source port, destination IP, destination port combinations)
  3. Flexible session limits: Users can generate more sessions than configured in port-per-user, limited only by actual port availability without clashes

Port Selection Process

When a new session requires NAT, FortiOS follows this decision tree:

  1. First attempts to reuse the original source port
  2. If the client source port doesn't fall within the calculated port range, or if using it would create a clash:
    • The system iterates through ports starting at a random point within the calculated port block
    • Ports are selected only if they don't create session clashes
  3. If no available ports are found within the calculated block after iteration:
    • Translation stops
    • A log entry is generated indicating the port clash

As shown in diagnostic output:

diagnose firewall ippool-fixed-range list natip 20.20.1.0 ippool name=Fixed_Port_Range, ip shared num=2, port num=30208 internal ip=192.168.1.1, nat ip=20.20.1.0, range=5117~35324 internal ip=192.168.1.2, nat ip=20.20.1.0, range=35325~65532

This output clearly demonstrates how different internal IPs receive distinct port ranges on the same public IP.

Version-Specific Considerations

FortiOS 7.4.x Limitations

Administrators working with FortiOS 7.4.x should be aware of specific limitations:

  • Fixed port range: 5117-65533 (non-configurable)
  • Port randomness: "Not ideal" according to documentation, as ports are selected sequentially within the calculated range
  • Limited visibility: Port allocation follows a predictable pattern after the initial calculation

FortiOS 7.6.x Enhancements

The 7.6.x release introduces significant improvements:

  • Configurable port ranges: Administrators can now define custom start and end ports
  • NAT64 support: Fixed port range functionality extends to NAT64 environments
  • Configurable randomness: Port selection randomness can be tuned to meet specific requirements

Practical Applications and Use Cases

Carrier-Grade NAT (CGNAT)

Fixed Port Range is particularly valuable for ISPs and large organizations implementing CGNAT. The deterministic nature allows for:

  • Predictable resource allocation across subscriber bases
  • Simplified logging and auditing of NAT translations
  • Efficient use of limited public IPv4 addresses
  • Forensic traceability when investigating network activity

Security and Compliance Requirements

Organizations with strict security requirements benefit from the predictability of Fixed Port Range. When "communications between sites are limited to specific IP addresses," the ability to determine which internal host maps to which public IP becomes essential for maintaining access controls.

Multi-Tenant Environments

Service providers and large enterprises can use Fixed Port Range to ensure fair distribution of NAT resources across departments or tenants, preventing any single entity from consuming disproportionate NAT capacity.

Diagnostic and Troubleshooting Commands

Fortinet provides several diagnostic tools for monitoring Fixed Port Range operations:

# List fixed port range mappings for a specific NAT IP diagnose firewall ippool-fixed-range list natip <IP_ADDRESS>  # View active sessions with NAT information diagnose sys session list | grep -f <NAT_IP>  # Check for port clash events (review logs) # Look for entries indicating port exhaustion or allocation failures

Limitations and Considerations

Predictability vs. Determinism

While Fixed Port Range provides predictable mapping for IP addresses, the port allocation includes enough flexibility to accommodate varying session loads. As noted in Fortinet's documentation, this flexibility "comes unpredictability" when attempting to reverse-engineer the exact source based solely on port numbers.

Resource Planning

Administrators must carefully calculate port-per-user requirements based on expected concurrent sessions. The port-per-user setting should reflect realistic usage patterns while accounting for the oversubscription capabilities.

ARP Configuration

The arp-reply setting forces the FortiGate to answer ARP requests for the NAT IP addresses on specified interfaces. This must be configured carefully to avoid unintended network behavior.

Frequently Asked Questions

What is the difference between Fixed Port Range and Overload NAT?

Fixed Port Range uses deterministic algorithms to map specific internal IPs to defined public IP and port ranges, creating predictable patterns. Overload NAT (Port Address Translation) dynamically assigns ports from a pool without guaranteed predictability, maximizing concurrent connections but complicating traceability.

Can I use Fixed Port Range with IPv6?

Yes, FortiOS 7.6.x introduces Fixed Port Range support for NAT64, enabling deterministic NAT between IPv6 and IPv4 networks. Native IPv6 to IPv6 translations typically don't require this type of NAT.

What happens when all ports in the calculated range are in use?

When FortiOS exhausts the calculated port block for a user, it continues searching through higher ports sequentially until finding an available port. If none are found after exhausting all options, the session fails and a log entry is generated indicating port clash.

How do I calculate the required port-per-user value?

The port-per-user value should reflect the maximum expected concurrent sessions per user. Consider factors like application behavior, peak usage periods, and the total number of users sharing public IPs. The oversubscription capability provides some flexibility, but proper planning prevents port exhaustion.

Is Fixed Port Range suitable for small businesses?

While designed for CGNAT scenarios, Fixed Port Range can benefit any organization requiring predictable NAT mappings. However, smaller deployments often find Overload or One-to-One NAT sufficient for their needs with less configuration complexity.

Can I modify the port range in FortiOS 7.4.x?

No, FortiOS 7.4.x uses a fixed range of 5117-65533 that cannot be modified. Organizations requiring custom ranges should upgrade to FortiOS 7.6.x or later.

How does port selection randomness differ between versions?

FortiOS 7.4.x uses sequential port selection within the calculated block, starting from a calculated point. FortiOS 7.6.x introduces configurable randomness, allowing administrators to tune how ports are selected for improved distribution and security.

What logging is available for Fixed Port Range events?

FortiOS generates logs for port allocation failures, NAT translations, and configuration changes. The diagnose firewall ippool-fixed-range list command provides real-time visibility into active mappings.

Conclusion

Fortinet's Fixed Port Range IP Pool feature represents a sophisticated approach to NAT that balances predictability with flexibility. By implementing deterministic algorithms for both IP and port allocation, it addresses the needs of service providers, large enterprises, and security-conscious organizations operating in IPv4-constrained environments.

The evolution from FortiOS 7.4.x's fixed implementation to 7.6.x's configurable parameters demonstrates Fortinet's commitment to adapting this technology to diverse deployment scenarios. Whether used for CGNAT, multi-tenant environments, or compliance-driven architectures, Fixed Port Range provides the control and visibility that modern networks require.

Network architects considering this technology should carefully evaluate their specific requirements against the mathematical models and operational characteristics outlined in this guide, ensuring optimal configuration for their unique environments.