Description
This article describes how fixed port can be set on a firewall policy and some of the reasons this change is needed.
Scope
FortiGate.
Solution
A TCP/IP connection is identified by a five-element tuple:
- source IP.
- source port.
- destination IP.
- destination port.
- protocol
To establish a TCP/IP connection, only a destination IP and port number are needed; the operating system automatically selects the source IP and port when NAT (SNAT) is performed. NAT translates source ports to keep track of connections for a particular service.
Some network configurations do not operate correctly if a NAT policy translates the source port of packets used by the connection.
This is caused by the different source ports in the IP header (changed by NAT) and the source port communicated in the payload.
Most common cases:
- Older SIP PBX servers. The port change will cause the PBX or phones to register to the remote site.
- Applications that communicate with databases on specific ports (especially if Application Control/Web filter is needed).
The solution is to preserve the port when configuring a policy to prevent source port translation. This can only be applied on policies where NAT is enabled.
Prior to FortiOS 7.4.4:
Check the related articles for compatibility with IP-Pool and central SNAT settings.
config firewall policy
edit <ID>
set fixedport enable
end
However, enabling "fixedport" means that only one connection can be supported through the firewall for this service port. This is expected for the local PBX that connects only to the SIP provider.
To be able to support multiple connections, an IP pool should be added, and then select Dynamic IP Pool in the Firewall policy.
From GUI, the option is seen as 'Preserve Source Port' when configuring a NAT policy to prevent source port translation:
Starting with FortiOS 7.4.4, fine-tuning source port behavior for SNAT has been introduced. With these fine-tuning it is possible to change the default behavior, which is using the original port if it is not already in use, and configure FortiGate to change the source port during SNAT and use the next higher available port in the range.
- If 'port-preserve' is enabled, which is the default configuration, FortiGate will try to use the original source port if it is not already in use. If it is already in use, FortiGate will choose the next available high port in the range and let the connection be established.
- If 'port-preserve' is disabled, FortiGate will always use the next higher available port in the range. When it reaches the highest port, it will return back to the first available port in the range again.
- Like prior FortiOS 7.4.4, if 'fixedport' is enabled, FortiGate will try to use the original source port unconditionally, and it might cause connection issues and clashes if the port is already in use by another session.
The port-preserve option is available for both the central SNAT and for firewall policies when NAT is enabled.
To configure source port behavior in a firewall policy:
config firewall policy
edit <ID>
set port-preserve {enable | disable}
set fixedport {enable | disable}
end
This behavior can also be controlled with the 'Manage source port' option in the GUI. The 'Fixed Port' option will be visible after enabling 'Manage source port'.
A 'one-to-one' IP pool in a firewall, coupled with a 'fixed-port' setting on FortiGate. To verify the fixed port on IP-Pool:
diag firewall ippool list
list ippool info:(vf=root)
ippool 7.0: id=1, block-sz=60416, num-block=1, fixed-port=yes, use=2
Related articles:
Technical Tip: Using 'set fixedport enable' in a policy with 'fixed-port-range' type ippool
Technical Tip: How to preserve source port when central NAT is enabled
