Per NAT IP, destination IP, port, and protocol
This is the approach that FortiOS uses.
It uses all of the differentiation point of the previous methods, NAT IP, port number and protocol, but the additonal information point of the destination IP is also used. So now the network information points in the packet that the FortiGate keeps in its database to differentiate between sessions is:
- Public IP address of the FortiGate assigned by NATing
- Protocol of the traffic
- Source port assigned by the FortiGate
- Destination IP address of the packet
The last one is an especially good way to differentiate because as a theortical number, the upper limit on that is the numbers of Public IP addresses on the whole of the Internet. Chances are that while a large number of session from inside the University will be going to a small group of sites such as Google, Youtube, Facebook and some others it is unlikely that they will all be going to them at the same time.
Example:
In this example it will be assumed that the FortiGate has only one IP address.Two possible packets will be described. The only difference in the attributes recorded will be the destination of the HTML request.These packets are still considered to be from differnt sessions and any responses will make it back to the correct computer.
From Student A
| Attribute | Original Packet | Packet after NATing |
|
Source IP address or src-ip |
10.1.1.56 |
u.u.u.1 |
|
Destination IP address or dst-ip: |
w.w.w.1 |
w.w.w.1 |
|
Protocol |
tcp |
tcp |
|
Source port or src-port: |
10000 |
46372 |
|
Destination port or dst-port |
80 |
80 |
From Student B
| Attribute | Original Packet | Packet after NATing |
|
Source IP address or src-ip |
10.5.1.233 |
u.u.u.1 |
|
Destination IP address or dst-ip: |
w.w.w.2 |
w.w.w.2 |
|
Protocol |
tcp |
tcp |
|
Source port or src-port: |
26785 |
46372 |
|
Destination port or dst-port |
80 |
80 |
The reason that these attributes are used to determine defferentiation between traffic is based on how the indexes for the sessions are recorded in the database. When a TCP connection is made through a FortiGate unit, a session is created and two indexes are created for the session. The FortiGate unit uses these indexes to guide matching traffic to the session.
This following could be the session record for the TCP connection in the first example.
| Attribute | Outgoing Traffic | Returning Traffic |
|
Source IP address |
10.78.33.97 (internal address) |
w.w.w.1 |
|
Destination address |
w.w.w.1 |
u.u.u.1 |
|
Protocol |
tcp |
tcp |
|
Source port |
10000 (from original computer) |
80 |
| 46372 (assigned by NAT) | ||
|
Destination port |
80 |
46372 (FortiGate assigned port) |
Using the FortiGate’s approach for session differentiation, FortiOS only has to ensure that the assigned port, along with the other four attributes is a unique combination to identify the session. So for example, if Student A simultaneously makes a HTTP(port 80) connection and a HTTPS(port 443) connection the same web server this would create another session and the index in the reply direction would be:
| Attribute | Outgoing Traffic | Returning Traffic |
|
Source IP address |
10.78.33.97 (internal address) |
w.w.w.1 |
|
Destination address |
w.w.w.1 |
u.u.u.1 |
|
Protocol |
tcp |
tcp |
Attribute Outgoing Traffic Returning Traffic
Source port
10000 (from original computer)
46372 (assigned by NAT)
443
Destination port 443 46372 (FortiGate assigned port)
These two sessions are different and acceptable because of the different source port numbers on the returning traffic or the destination port depending on the direction of the traffic.