Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff

Created on ‎12-05-2016 03:40 PM Edited on ‎10-09-2024 04:53 AM By Community Manager

Article Id 195738

Technical Tip: Using 'set fixedport' or 'Preserve source port' in a firewall policy

Description

 

This article explains how fixed port can be set on firewall policy, and some of the reasons this change is needed.


Scope

 

FortiGate.


Solution

 

A TCP/IP connection is identified by a four-element tuple:

  • source IP.
  • source port.
  • destination IP.
  • destination port.


To establish a TCP/IP connection only a destination IP and port number are needed, the operating system automatically selects the source IP and port when NAT (SNAT) is performed. NAT translates source ports to keep track of connections for a particular service. 

Some network configurations do not operate correctly if a NAT policy translates the source port of packets used by the connection.

This is caused by the different source ports in the IP header (changed by NAT) and the source port communicated in the payload.

 

Most common cases:

  • Older SIP PBX servers. The port change will cause the PBX or phones to register to the remote site.
  • Applications that communicate with databases on specific ports (especially if Application Control/Web filter is needed).

 

The solution is to enable fixed port when configuring a policy to prevent source port translation.  This can only be applied on policies where NAT is enabled.
Check the related articles for compatibility with ippool and central SNAT settings.

 

config firewall policy

    edit <ID>

        set fixedport enable

end 

 

However, enabling fixed port means that only one connection can be supported through the firewall for this service. This is expected for the local PBX that connects only to the SIP provider.

 
To be able to support multiple connections, an IP pool should be added, and then select Dynamic IP pool in the Firewall policy.
 
From GUI, the option is seen as 'Preserve Source Port' when configuring a NAT policy to prevent source port translation:
 
fixedport.png

 

 

To verify the fixed port or preserve the source port on IP-Pool:

 

diag firewall ippool list
list ippool info:(vf=root)
ippool 7.0: id=1, block-sz=60416, num-block=1, fixed-port=yes, use=2

 

Related articles:

Technical Tip: Using 'set fixedport enable' in a policy with 'fixed-port-range' type ippool

Technical Tip: How to preserve source port when central NAT is enabled

Technical Tip : Routing with IP Pool Address Configuration

16368
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.