Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

IP Pool - Fixed Port

We are running 5.2.2 and using an IP Pool. We are using the default type of "Overload". We do not have the "Fixed Port" option checked on the policy, yet the Fortigate still uses same source port rather than allocating a new one. According to the documentation, the normal operation is supposed to be that the Fortigate assigns a dynamic source port automatically. If you want to the source port to remain the same, you're supposed to select the "Fixed Port" option on the policy.


We thought it might be an issue specific to IP Pools, so we chose the "Use Outgoing Interface Address" instead of selecting an IP Pool and got the same result. We believe this could be why we experienced the issue in the thread below. Does anyone know if this is expected behavior in 5.2.2? If it is, then I don't think the documentation is correct.


Esteemed Contributor III

Could be, but you port forward vip seens like a issues from poking my head into the other thread. They are all using the same mapped port and to the same hosts if I followed your other post correctly.



edit ""         set extip 67.XXX.XXX.21-67.XXX.XXX.23         set extintf "any"         set portforward enable         set mappedip "172.XXX.XXX.1-172.XXX.XXX.3"         set extport 80         set mappedport 80     next     edit "vip.http.bbb"         set extip 67.XXX.XXX.25-67.XXX.XXX.27         set extintf "any"         set portforward enable         set mappedip "172.XXX.XXX.1-172.XXX.XXX.3"         set extport 80         set mappedport 80     next



As far as what port is used for the outgoing traffic  ( source ) that would  depend on what's the origination src_port of the client. But what you should do is pull your diag sys session stat counters do you  have any clashes? The fortigate should try to reuse the same ephemeral port of the "client" if possible and if not already in use.


Since the client is always incrementing the  ephemeral port# , the src_port will never be re-used till it wraps around.


You can test  this theory on by picking a service port outbound and telnet to the port with a wirehsark running at the client. Now obviously two clients using the same src_port one would be changed at the nat-xlate state for SNAT.


Can you post the policy that your tried to used again , and  the new one with the  src_nat ip_pool?


Have you tried this with  "set match-vip disable"  and do you have a trace?






PCNSE NSE StrongSwan
New Contributor

Experience the epitome of best ice cream nyc at Bambina Blue, where our menu is a doorway to a world of unparalleled dessert experiences. Our commitment to creating frozen delights that exceed expectations is evident in every carefully crafted option. From the velvety embrace of our creamy creations to the invigorating burst of flavor of our fruity treats, each bite promises a symphony of flavor that harmonizes with your senses. Join us for moments of true delight, where every spoonful is a study in the craftsmanship that defines our frozen offerings.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors