Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kajlasunil
Staff
Staff

Created on ‎09-26-2024 07:48 AM Edited on ‎10-17-2025 02:04 AM By Community Manager

Article Id 344661

Technical Tip: How to preserve source port when central NAT is enabled

Description This article describes how to enable a preserved source port when NAT translation is managed centrally.
Scope FortiOS v7.0 and above.
Solution

In FortiOS running in no central SNAT mode, the preserve source port can be enabled in the firewall policy from the GUI/CLI.

 

config firewall policy

    edit <policy id>

        set fixedport <enable/disable>

end

 

3.PNG

 

In the Central SNAT mode, there is no more 'set fixedport <enable/disable>' command. 

 

The central SNAT table allows for more granular control over address translation performed by FortiGate. The NAT table defines rules for the source address or address group, and which IP pool the destination address uses.


The below are the only commands that can be set in Central NAT Mode.


config firewall central-snat-map
    edit <policyID number>
        set status {enable|disable}
        set orig-addr <valid address object preconfigured on the FortiGate>
        set srcintf <name of interface on the FortiGate>
        set dst-addr <valid address object preconfigured on the FortiGate>
        set dstintf <name of interface on the FortiGate>
        set protocol <integer for protocol number>
        set orig-port <integer for original port number>
        set nat-port <integer for translated port number>

set port-preserve <preservation of the original source port from SNAT> <----- Available since v7.4.4.

                 set dst-port <destination port or port range>  <----- Available since v7.2.8.
        set comments <string>
end

 

The following are the options to preserve the source port:

  1. Configure an Overload type of IP Pool.
  2. Enable the Explicit port mapping.
  3. Set the source port range.
  4. Copy the same into the translated source port.

 

2.PNG


Note:

  • Explicit port mapping cannot apply to some protocols that do not use ports, such as ICMP. When enabling a NAT policy that uses Explicit port mapping, always consider that ICMP traffic will not match this policy.
  • When using IP Pools, only the Overload type IP Pool allows Explicit port mapping. When Explicit port mapping is applied, it must define a source port range and a translated destination port range. The source port will map one-to-one with the translated port.
  • 'Preserve Source Port' is enabled by default in FortiOS 7.4.4 and above. For more information, see Example five: Fine-tuning source port behavior - FortiGate 7.4.4 administration guide.
  • Ports will only be preserved if the source port falls within the range of 5117 to 65532. Any source port below 5117 will automatically be translated to a port higher than 5117, and the preserve-port setting will not apply in that case: Technical Tip: Configure the destination port for the Central SNAT table 
3620
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.