|
In FortiOS running in no central SNAT mode, the preserve source port can be enabled in the firewall policy from GUI/CLI.
config firewall policy
edit <policy id>
set fixedport <enable/disable>
end
In the Central SNAT mode, there is no more 'set fixedport <enable/disable>' command.
The central SNAT table allows for more granular control over address translation performed by FortiGate. The NAT table defines rules for the source address or address group, and which IP pool the destination address uses.
The below are the only commands that can be set in Central NAT Mode.
config firewall central-snat-map
edit <policyID number>
set status {enable|disable}
set orig-addr <valid address object preconfigured on the FortiGate>
set srcintf <name of interface on the FortiGate>
set dst-addr <valid address object preconfigured on the FortiGate>
set dstintf <name of interface on the FortiGate>
set protocol <integer for protocol number>
set orig-port <integer for original port number>
set nat-port <integer for translated port number>
set comments <string>
end
The following are the options to preserve the source port:
- Configure an Overload type of IP Pool.
- Enable the Explicit port mapping.
- Set the Original source port range.
- Copy the same in the translated source port.
Note: Explicit port mapping cannot apply to some protocols that do not use ports, such as ICMP. When enabling a NAT policy that uses Explicit port mapping, always consider that ICMP traffic will not match this policy.
When using IP Pools, only the Overload type IP Pool allows Explicit port mapping. When Explicit port mapping is applied, it must define an original source port range and a translated sort port range. The source port will map one-to-one with the translated port.
|
