FortiGate FG60 and outbound NAT

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
Hi All,

I am having a problem with my FG-60, and outbound NATing.

I am running an application that, when starting, registers at a
central server, which uses the source port as part of the registration
process, and, seeing that the port is NATed out, it is changed from
the original port.

I have tried setting up a Firewall policy, which is using NAT and the
Fixed Port setting (Without an IP Pool though), but I am not sure that
I have done it correctly, the behaviour didn't change at all (still
uses a random NATed port)

The docs and KB at Fortinet is lacking in information (or, I can't
find it at least), so, does anyone have a nugget of wisdom for me?

Disabling NAT or placing the server in a DMZ is not really an option.


Re: FortiGate FG60 and outbound NAT
Hello Peter,

Quoted text here. Click to load it

This is the right way to do this. But there are some limitations with this
solution. In order to maintain strict source-port policy you need a pool.

If you have enough outside IP addresses you can do a Virtual IP instead of
strict NAT'ing.
Helge Olav Helgesen

Re: FortiGate FG60 and outbound NAT
Hello Peter,

Quoted text here. Click to load it

I found this in the online documentation in the firewall:
Some network configurations do not operate correctly if a NAT policy translates
the source port of packets used by the connection. NAT translates source
ports to keep track of connections for a particular service. Select fixed
port for NAT policies to prevent source port translation. However, selecting
fixed port means that only one connection can be supported through the firewall
for this service. To be able to support multiple connections, add an IP pool
to the destination interface, and then select dynamic IP pool in the policy.
The firewall randomly selects an IP address from the IP pool and assigns
it to each connection. In this case the number of connections that the firewall
can support is limited by the number of IP addresses in the IP pool.
Helge Olav Helgesen

Site Timeline