FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff
Article Id 195738

Description

 

This article describes how fixed port can be set on a firewall policy and some of the reasons this change is needed.


Scope

 

FortiGate.


Solution

 

A TCP/IP connection is identified by a five-element tuple:

  • source IP.
  • source port.
  • destination IP.
  • destination port.
  • protocol


To establish a TCP/IP connection, only a destination IP and port number are needed; the operating system automatically selects the source IP and port when NAT (SNAT) is performed. NAT translates source ports to keep track of connections for a particular service. 

Some network configurations do not operate correctly if a NAT policy translates the source port of packets used by the connection.

This is caused by the different source ports in the IP header (changed by NAT) and the source port communicated in the payload.

 

Most common cases:

  • Older SIP PBX servers. The port change will cause the PBX or phones to register to the remote site.
  • Applications that communicate with databases on specific ports (especially if Application Control/Web filter is needed).

 

The solution is to preserve the port when configuring a policy to prevent source port translation. This can only be applied on policies where NAT is enabled.

 

Prior to FortiOS 7.4.4:

 
Check the related articles for compatibility with IP-Pool and central SNAT settings.

 

config firewall policy

    edit <ID>

        set fixedport enable

end 

 

However, enabling "fixedport" means that only one connection can be supported through the firewall for this service port. This is expected for the local PBX that connects only to the SIP provider.

 
To be able to support multiple connections, an IP pool should be added, and then select Dynamic IP Pool in the Firewall policy.
 
From GUI, the option is seen as 'Preserve Source Port' when configuring a NAT policy to prevent source port translation:
 
fixedport.png

 

 

Starting with FortiOS 7.4.4, fine-tuning source port behavior for SNAT has been introduced. With these fine-tuning it is possible to change the default behavior, which is using the original port if it is not already in use, and configure FortiGate to change the source port during SNAT and use the next higher available port in the range. 

 

  • If 'port-preserve' is enabled, which is the default configuration, FortiGate will try to use the original source port if it is not already in use. If it is already in use, FortiGate will choose the next available high port in the range and let the connection be established.
  • If 'port-preserve' is disabled, FortiGate will always use the next higher available port in the range. When it reaches the highest port, it will return back to the first available port in the range again.
  • Like prior FortiOS 7.4.4, if 'fixedport' is enabled, FortiGate will try to use the original source port unconditionally, and it might cause connection issues and clashes if the port is already in use by another session.

 

The port-preserve option is available for both the central SNAT and for firewall policies when NAT is enabled.

 

To configure source port behavior in a firewall policy:

 

config firewall policy

    edit <ID>

        set port-preserve {enable | disable}

        set fixedport {enable | disable}

end 

 

This behavior can also be controlled with the 'Manage source port' option in the GUI. The 'Fixed Port' option will be visible after enabling 'Manage source port'.

 

 
                                                          manage_source_port.png

 

A 'one-to-one' IP pool in a firewall, coupled with a 'fixed-port' setting on FortiGate. To verify the fixed port on IP-Pool:

 

diag firewall ippool list
list ippool info:(vf=root)
ippool 7.0: id=1, block-sz=60416, num-block=1, fixed-port=yes, use=2

 

Related articles:

Technical Tip: Using 'set fixedport enable' in a policy with 'fixed-port-range' type ippool

Technical Tip: How to preserve source port when central NAT is enabled

Technical Tip : Routing with IP Pool Address Configuration

Fine-tuning source port behavior for SNAT