To configure a specific source port range to be used from the FortiGate a Central SNAT policy must be used. The option to translate source ports is only available when a dynamic IP pool is used.

To configure an IP pool in the GUI, navigate to Policy & Objects -> IP Pools -> Create New and specify the name and external IP range.

From the CLI:

config firewall ippool

    edit "IP-pool"

        set startip 10.9.10.131

        set endip 10.9.10.131

    next

end

Create the Central SNAT policy, from the GUI Policy & Objects -> Central SNAT -> Create New. 

Select the IP pool used for the external IP address, enable Explicit port mapping, and configure the source port range and the translated port range.

Note:

The original port range and translated port range must be the same size.

From the CLI:

config firewall central-snat-map

    edit 1

        set srcintf "port10"

        set dstintf "port1"

        set orig-addr "all"

        set dst-addr "all"

        set orig-port 49152-65535

        set nat-ippool "IP-pool"

        set nat-port 39152-55535

    next

end

There must also be a firewall policy to allow traffic. When Central SNAT is used NAT is configured with central SNAT policies, not on the firewall policies.

On the CLI:

config firewall policy

    edit 1

        set name "Internet"

        set srcintf "port10"

        set dstintf "port1"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

    next

end

The result of this configuration will be that the source port for any traffic matching the Central SNAT policy will have the source IP address and source port translated.

Traffic is received on the LAN interface, in this case, port10:

FortiGate1 # diag sniff pack port10 'host 10.122.0.100 and host 54.177.212.176 and port 443' 4 0 l

Using Original Sniffing Mode

interfaces=[port10]

filters=[host 10.122.0.100 and host 54.177.212.176 and port 443]

2024-09-02 10:59:40.011423 port10 -- 10.122.0.100.59335 -> 54.177.212.176.443: syn 4027347394

2024-09-02 10:59:40.087605 port10 -- 54.177.212.176.443 -> 10.122.0.100.59335: syn 946440213 ack 4027347395

2024-09-02 10:59:40.087848 port10 -- 10.122.0.100.59335 -> 54.177.212.176.443: ack 946440214

Traffic egressing the WAN interface, in this case port1:

FortiGate1 # diag sniff pack port1 'host 10.9.10.131 and host 54.177.212.176 and port 443' 4 0 l

Using Original Sniffing Mode

interfaces=[port1]

filters=[host 10.9.10.131 and host 54.177.212.176 and port 443]

2024-09-02 10:59:40.011491 port1 -- 10.9.10.131.49335 -> 54.177.212.176.443: syn 4027347394

2024-09-02 10:59:40.087586 port1 -- 54.177.212.176.443 -> 10.9.10.131.49335: syn 946440213 ack 4027347395

2024-09-02 10:59:40.087853 port1 -- 10.9.10.131.49335 -> 54.177.212.176.443: ack 946440214

For more information about Central SNAT, please see the documentation: Central SNAT

Related articles:

Technical Tip: Enable and configure central SNAT

Technical Tip: How to configure SNAT with IP pool