Fortinet Document Library

Version:


Table of Contents

Technical Note: Fixed port on firewall policy

6.2.1
Copy Link

Products

FortiGate
FortiGate v5.4
FortiGate v5.6
FortiGate v6.0
FortiGate v6.2
 

Description

This article explains how fixed port can be set on firewall policy.
A TCP/IP connection is identified by a four element tuple:
-  source IP,
-  source port,
-  destination IP,
-  destination port.

To establish a TCP/IP connection only a destination IP and port number are needed, the operating system automatically selects source IP and port.

Fortinet Documentation
Technical Tip : Routing with IP Pool Address Configuration – https://kb.fortinet.com/kb/documentLink.do?popup=true&externalID=FD31664

Scope

Fixed Port

Some network configurations do not operate correctly if a NAT policy translates the source port of packets used by the connection. NAT translates source ports to keep track of connections for a particular service.
Randomly selects an IP address from the IP pool and assigns it to each connection:

Solution

From the CLI, enable fixedport when configuring a security policy for NAT policies to prevent source port translation.

#config firewall policy

  edit <ID>

    set fixedport enable

end

However, enabling fixedport means that only one connection can be supported through the firewall for this service.
To be able to support multiple connections, add an IP pool, and then select Dynamic IP pool in the Firewall policy.

Products

FortiGate
FortiGate v5.4
FortiGate v5.6
FortiGate v6.0
FortiGate v6.2
 

Description

This article explains how fixed port can be set on firewall policy.
A TCP/IP connection is identified by a four element tuple:
-  source IP,
-  source port,
-  destination IP,
-  destination port.

To establish a TCP/IP connection only a destination IP and port number are needed, the operating system automatically selects source IP and port.

Fortinet Documentation
Technical Tip : Routing with IP Pool Address Configuration – https://kb.fortinet.com/kb/documentLink.do?popup=true&externalID=FD31664

Scope

Fixed Port

Some network configurations do not operate correctly if a NAT policy translates the source port of packets used by the connection. NAT translates source ports to keep track of connections for a particular service.
Randomly selects an IP address from the IP pool and assigns it to each connection:

Solution

From the CLI, enable fixedport when configuring a security policy for NAT policies to prevent source port translation.

#config firewall policy

  edit <ID>

    set fixedport enable

end

However, enabling fixedport means that only one connection can be supported through the firewall for this service.
To be able to support multiple connections, add an IP pool, and then select Dynamic IP pool in the Firewall policy.