Troubleshooting Tip: FortiGate not performing source port translation for traffic to UDP port 9

Discard Protocol is defined in RFC 863.
The protocol is used mostly for testing. All traffic with UDP/TCP destination port 9 should be dropped by the destination.

If the traffic is UDP with destination port 9, the FortiGate will not translate the source port, even if the FortiGate is configured to do so.
This behavior is by design and cannot be changed.

For example, after configuring an IP pool with port block allocation:

config firewall ippool
   edit "test"
      set type port-block-allocation
      set startip 10.1.1.2
      set endip 10.1.1.2
      set arp-reply disable
   next
end

And a policy to SNAT the traffic:

config firewall policy
   edit 2
      set name "test"
      set srcintf "port2"
      set dstintf "port3"
      set srcaddr "all"
      set dstaddr "all" 
      set action accept
      set schedule "always"
      set service "ALL"
      set ippool enable
      set poolname "test"
      set nat enable
   next
end

Sessions with UDP destination port 9 will not have the source port translated. The IP address will be translated normally.

get sys session list
PROTO EXPIRE SOURCE          SOURCE-NAT      DESTINATION   DESTINATION-NAT
udp   163    10.7.69.5:33333 10.1.1.2:33333  192.168.0.1:9 -

If the traffic is TCP, or with a different destination port, source port translation will be applied.

get sys session list
PROTO EXPIRE SOURCE          SOURCE-NAT     DESTINATION    DESTINATION-NAT
tcp   7      10.7.69.5:33333 10.1.1.2:5173  192.168.0.1:9  -
udp   165    10.7.69.5:33333 10.1.1.2:5173  192.168.0.1:53 -