Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
alafrance
Staff
Staff

Created on ‎10-10-2017 01:54 PM Edited on ‎10-09-2024 04:26 AM By Community Manager

Article Id 194945

Technical Tip: Using 'set fixedport enable' in a policy with 'fixed-port-range' type ippool

Description

 

This article describes scenarios when using a fixed-port-range IPPool is used within a policy with fixed port enabled (policy setting). The combination is contradictory, and this article explains why traffic may be blocked.
 
Scope
 
FortiGate.
 
Solution
 
An example configuration is given below:
 
config firewall policy
    edit 2
        set name "PC-Out"
        set srcintf "lan"
        set dstintf "wan1"
        set srcaddr "PC"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
        set fixedport enable
        set ippool enable
        set poolname "IPOOL-fixed-range"
    next

config firewall ippool
    edit "IPOOL-fixed-range"
        set type fixed-port-range
        set startip 172.25.188.15
        set endip 172.25.188.15
        set source-startip 192.168.2.169
        set source-endip 192.168.2.169
    next
end


The following combination of settings is not currently a supported configuration by Fortinet for the following reasons:

  1. 'set fixedport enable' within the firewall policy options, instructs the FortiOS not to translate the source port of the packet.
  2. 'fixed-port-range' within the ippool options instructs FortiOS to translate the source port to a certain port-range, as mandatory.

Because these settings are incompatible with each other some administrators may notice that traffic is initially accepted by the policy but dropped later on during a configuration change or a routing-table update.

The flow debug tool may also report the following message when the session is re-validated due to a routing-table update or configuration change:
trace_id=51 func=print_pkt_detail line=5282 msg="vd-root received a packet(proto=6, 192.168.2.169:57095->172.25.188.161:22) from lan. flag [.], seq 903968189, ack 4119169303, win 16439"
trace_id=51 func=resolve_ip_tuple_fast line=5357 msg="Find an existing session, id-00000fda, original direction"
trace_id=51 func=iprope_reverse_dnat_check line=1097 msg="in-[lan], out-[wan1], skb_flags-02000000, vid-0"
trace_id=51 func=fw_strict_dirty_session_check line=277 msg="SNAT port 57095 != 60437, drop"

trace_id=52 func=print_pkt_detail line=5282 msg="vd-root received a packet(proto=6, 192.168.2.169:57095->172.25.188.161:22) from lan. flag [.], seq 903968189, ack 4119169303, win 16439"
trace_id=52 func=vf_ip_route_input_common line=2576 msg="find a route: flag=04000000 gw-172.25.188.161 via wan1"
trace_id=52 func=fw_forward_dirty_handler line=337 msg="no session matched"

 

To resolve the problem, the following two approaches can be considered:

 

If it is necessary to retain the fixed-port-range functionality of the ippool, then it is advised to disable fixed port within the policy referencing that particular ippool.

If the fixed port is the desired behavior, then it becomes necessary to change the ippool type.

 

Related articles:

Technical Tip: Using Fixedport or Preserve Source Port on Firewall Policy

Technical Tip: How to preserve source port when central NAT is enabled

Labels:
5954
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.