- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- IP Pool: How to achieve port translation?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IP Pool: How to achieve port translation?
Hi all,
I've a doubt. I'm readying on how the IP pool with overload option should works. Documentation says that it should perform port translation but as I see from my logs the source port and the translated source port are always the same.
The IP pool contains only one IP.
Platform: Fortigate300D
FortiOS: 6.0.12
Many thanks,
Maurizio
Labels:
- Labels:
-
FortiGate
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Is there any benefit changing the source port? Please share the document which you are referring to.
Best regards,
Jin
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/29961/dynamic-snat
Here is the document I am referring to.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks to share the article, it does not specifically mention that port would be translated always, indeed it mentions about the number of available ports per ip for NAT overload. I agree with Adrian that the source port would be changed when multiple sources uses the same source port to same destination to avoid conflict/clash in outbound sessions considering 5 tuple. But using any/same source port does not hinder the session otherwise, and generally a dont care value. However, on occasions where source port is to be retained as it is and should be ensured that they are not altered when NAT overloaded, an option provided here is to use 'preserve source port'.
Best regards,
Jin
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the explanation. Now it's clear to me how it works.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Source port will not always be translated. If there are low amount of sessions, there is high chance that the port will be the same. If you connect from 2 different sources with same ports, then you will see translated port.
Adrian
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Adrian, thanks for the explanation. I didn't find this in the documentation related to NAT overload.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perhaps the missing detail you are looking for is that in overload IP-pool scenario (and also in the default SNAT over outgoing interface IP), the FortiGate will try to preserve the source port if possible. It will only change if it needs to do it to avoid a session clash.
The first device trying to use source-port 54321 will be source-NATed to the same source port as long as it is not used. A second device initiating a session with the same source-port will be source-NATed to a different source port.
This can be verified with a bit of python scripting:
import socket as sock
s = sock.socket(sock.AF_INET, sock.SOCK_STREAM)
s.bind(("0.0.0.0", 54321) # explicitly request source port 54321 from OS)
s.connect(("93.184.216.34", 80)) # IP for www.example.com
# stop and check debugs now
s.close() # to close the session/socket
-> Now run the script (without doing "s.close()" yet) on two clients, and check how the sessions get source-NATed.
The resulting NAT situation can be checked in FortiOS CLI with "get sys session list":
# get sys session list | grep 93.184.216.34
tcp 3598 10.19.5.147:54321 192.0.2.22:25738 93.184.216.34:80 -
tcp 3569 10.109.62.30:54321 192.0.2.22:54321 93.184.216.34:80 -
# note: Columns are: protocol | expiration time | source | source-NAT | destination | destination-NAT
Explanation:
Client 10.109.62.30 was the first to initiate a connection with source-port 54321 (it has shorter expiry time). You can see that the source-port is preserved post-SNAT in this case.
Client 10.19.5.147 was the second to initiate a connection with the same source-port 54321 to the same destination IP+port (important!), and as you can see the source-NAT port was moved because of it. (already "taken" by the first client)
[ corrections always welcome ]
Related Posts
- SSL-OffLoading (HTTP --> HTTPS) 386 Views
- Same VLAN on Hardware switch and... 307 Views
- Many to One Port Forwarding 213 Views
- DNS Virtual Server load balancing to... 226 Views
- FortiGate/FortiSwitch VLANs 354 Views
Labels
-
FortiGate
6,490 -
FortiClient
1,294 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiSwitch
331 -
FortiAP
331 -
FortiClient EMS
260 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
104 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
57 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
18 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
FortiAuthenticator
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSID
6 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
NAC policy
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.