We are running 5.2.2 and using an IP Pool. We are using the default type of "Overload". We do not have the "Fixed Port" option checked on the policy, yet the Fortigate still uses same source port rather than allocating a new one. According to the documentation, the normal operation is supposed to be that the Fortigate assigns a dynamic source port automatically. If you want to the source port to remain the same, you're supposed to select the "Fixed Port" option on the policy.
We thought it might be an issue specific to IP Pools, so we chose the "Use Outgoing Interface Address" instead of selecting an IP Pool and got the same result. We believe this could be why we experienced the issue in the thread below. Does anyone know if this is expected behavior in 5.2.2? If it is, then I don't think the documentation is correct.
https://forum.fortinet.com/tm.aspx?m=120355
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Could be, but you port forward vip seens like a issues from poking my head into the other thread. They are all using the same mapped port and to the same hosts if I followed your other post correctly.
edit "vip.http.aaa" set extip 67.XXX.XXX.21-67.XXX.XXX.23 set extintf "any" set portforward enable set mappedip "172.XXX.XXX.1-172.XXX.XXX.3" set extport 80 set mappedport 80 next edit "vip.http.bbb" set extip 67.XXX.XXX.25-67.XXX.XXX.27 set extintf "any" set portforward enable set mappedip "172.XXX.XXX.1-172.XXX.XXX.3" set extport 80 set mappedport 80 next
As far as what port is used for the outgoing traffic ( source ) that would depend on what's the origination src_port of the client. But what you should do is pull your diag sys session stat counters do you have any clashes? The fortigate should try to reuse the same ephemeral port of the "client" if possible and if not already in use.
Since the client is always incrementing the ephemeral port# , the src_port will never be re-used till it wraps around.
You can test this theory on by picking a service port outbound and telnet to the port with a wirehsark running at the client. Now obviously two clients using the same src_port one would be changed at the nat-xlate state for SNAT.
Can you post the policy that your tried to used again , and the new one with the src_nat ip_pool?
Have you tried this with "set match-vip disable" and do you have a trace?
PCNSE
NSE
StrongSwan
Experience the epitome of best ice cream nyc at Bambina Blue, where our menu is a doorway to a world of unparalleled dessert experiences. Our commitment to creating frozen delights that exceed expectations is evident in every carefully crafted option. From the velvety embrace of our creamy creations to the invigorating burst of flavor of our fruity treats, each bite promises a symphony of flavor that harmonizes with your senses. Join us for moments of true delight, where every spoonful is a study in the craftsmanship that defines our frozen offerings.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1731 | |
1099 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.