Description
This article describes how fixed port can be set on a firewall policy and some of the reasons this change is needed.
Scope
FortiGate.
Solution
A TCP/IP connection is identified by a five-element tuple:
To establish a TCP/IP connection, only a destination IP and port number are needed; the operating system automatically selects the source IP and port when NAT (SNAT) is performed. NAT translates source ports to keep track of connections for a particular service.
Some network configurations do not operate correctly if a NAT policy translates the source port of packets used by the connection.
This is caused by the different source ports in the IP header (changed by NAT) and the source port communicated in the payload.
Most common cases:
The solution is to preserve the port when configuring a policy to prevent source port translation. This can only be applied on policies where NAT is enabled.
Prior to FortiOS 7.4.4:
config firewall policy
edit <ID>
set fixedport enable
end
However, enabling "fixedport" means that only one connection can be supported through the firewall for this service port. This is expected for the local PBX that connects only to the SIP provider.
Starting with FortiOS 7.4.4, fine-tuning source port behavior for SNAT has been introduced. With these fine-tuning it is possible to change the default behavior, which is using the original port if it is not already in use, and configure FortiGate to change the source port during SNAT and use the next higher available port in the range.
The port-preserve option is available for both the central SNAT and for firewall policies when NAT is enabled.
To configure source port behavior in a firewall policy:
config firewall policy
edit <ID>
set port-preserve {enable | disable}
set fixedport {enable | disable}
end
This behavior can also be controlled with the 'Manage source port' option in the GUI. The 'Fixed Port' option will be visible after enabling 'Manage source port'.
A 'one-to-one' IP pool in a firewall, coupled with a 'fixed-port' setting on FortiGate. To verify the fixed port on IP-Pool:
diag firewall ippool list
Related articles:
Technical Tip: Using 'set fixedport enable' in a policy with 'fixed-port-range' type ippool
Technical Tip: How to preserve source port when central NAT is enabled
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.