FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
alafrance
Staff
Staff

Description

This article describes scenarios when using an fixed-port-range IPPool is used within a policy with fixedport enabled within the policy's options.

An example configuration is given below:

config firewall policy
    edit 2
        set name "PC-Out"
        set srcintf "lan"
        set dstintf "wan1"
        set srcaddr "PC"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
        set fixedport enable
        set ippool enable
        set poolname "IPOOL-fixed-range"
    next
config firewall ippool
    edit "IPOOL-fixed-range"
        set type fixed-port-range
        set startip 172.25.188.15
        set endip 172.25.188.15
        set source-startip 192.168.2.169
        set source-endip 192.168.2.169
    next
end

The following combination of settings are not currently a supported configuration by Fortinet for the following reasons:

1. "set fixedport enable" within the policy options means that FortiOS will not translate the source port of the packet.
 
2. "fixed-port-range" within the ippool options means that FortiOS will need to translate the source port to a certain port-range.

Because of these settings being incompatible with each other some administrators may notice that traffic is initially accepted by the policy but dropped later on during a configuration change or a routing-table update.

The flow debug tool may also report the following message when the session is re validated due to a routing-table update or configuration change:

2017-10-10 11:22:59 id=20085 trace_id=51 func=print_pkt_detail line=5282 msg="vd-root received a packet(proto=6, 192.168.2.169:57095->172.25.188.161:22) from lan. flag [.], seq 903968189, ack 4119169303, win 16439"
2017-10-10 11:22:59 id=20085 trace_id=51 func=resolve_ip_tuple_fast line=5357 msg="Find an existing session, id-00000fda, original direction"
2017-10-10 11:22:59 id=20085 trace_id=51 func=iprope_reverse_dnat_check line=1097 msg="in-[lan], out-[wan1], skb_flags-02000000, vid-0"
2017-10-10 11:22:59 id=20085 trace_id=51 func=fw_strict_dirty_session_check line=277 msg="SNAT port 57095 != 60437, drop"

2017-10-10 11:22:59 id=20085 trace_id=52 func=print_pkt_detail line=5282 msg="vd-root received a packet(proto=6, 192.168.2.169:57095->172.25.188.161:22) from lan. flag [.], seq 903968189, ack 4119169303, win 16439"
2017-10-10 11:22:59 id=20085 trace_id=52 func=vf_ip_route_input_common line=2576 msg="find a route: flag=04000000 gw-172.25.188.161 via wan1"
2017-10-10 11:22:59 id=20085 trace_id=52 func=fw_forward_dirty_handler line=337 msg="no session matched"


Solution

Both settings are incompatible with each other, two approaches can be taken to resolve the problem:
  • If it is necessary to retain the fixed-port-range functionality of the ippool, then it is advised to disable fixedport within the policy referencing that particular ippool.
  • If fixedport is the desired behavior, then it becomes necessary to change the ippool type.