FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 190384


Fortigate A  -------Fortigate B -------ISP1 --> ISP2 -----ISP (N) --------Fortiguard Server
FortiGate A and B are in NAT mode. FortiGate B has no problem communicating with the Fortiguard Web filter server in Port 53 or Port 8888. However, FortiGate A has a connectivity issue with the Fortiguard web filter server.
Running the packet sniffer on the FortiGate unit shows:
  • Source Port 1028, Destination port 53 or 8888 
  • Packet sniffer from Fortigate B (AFTER NATTing) showed: 
  • Source Port 36000, destination port 53 or 8888
Packets left FortiGate B with a high source Port, but no return packet from the FortiGuard server. Sniffing packets from the FortiGuard server does not show any request packets arriving, proving that packets are being blocked by the ISP.
Each ISP has its own routing and access policy, so it is possible that a high source port is being blocked by any given ISP.
Use fixed-port at NATTed firewall policy on FortiGate B. This way, low source ports initiated by FortiGate A will not be changed after NATing on FortiGate B. Packets will remain with the low source ports.