FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article explains how the port selection process is done under different port settings
Scope
FortiOS.
Solution
There are different settings that impact the criteria on which a new NAT port will be selected:
If 'set port-preserve enable' is set up under the firewall policy:
The original port will be attempted for a re-use. If this clashes with another session, a new NAT port will be selected sequentially.
config firewall policy
edit 1
set port-preserve enable
next
end
If 'set port-preserve disable' is configured under the firewall policy:
The next available port will be directly selected sequentially.
config firewall policy
edit 1
set port-preserve disable
next
end
As of FortiOS 7.6.1, there is a new 'set port-random enable' setting added under firewall policy.
When port-preserve is disabled and port-random is enabled, the new SNAT port will be selected randomly. This feature is available as of FortiOS-7.6.1, making the allocation process less predictable and thereby enhancing security.
This feature is available when when 'set port-preserve' is disabled.
