FortiGate FG60 and outbound NAT - Firewalls

This is a discussion on FortiGate FG60 and outbound NAT - Firewalls ; Hi All, I am having a problem with my FG-60, and outbound NATing. I am running an application that, when starting, registers at a central server, which uses the source port as part of the registration process, and, seeing that ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: FortiGate FG60 and outbound NAT

  1. FortiGate FG60 and outbound NAT

    Hi All,

    I am having a problem with my FG-60, and outbound NATing.

    I am running an application that, when starting, registers at a
    central server, which uses the source port as part of the registration
    process, and, seeing that the port is NATed out, it is changed from
    the original port.

    I have tried setting up a Firewall policy, which is using NAT and the
    Fixed Port setting (Without an IP Pool though), but I am not sure that
    I have done it correctly, the behaviour didn't change at all (still
    uses a random NATed port)

    The docs and KB at Fortinet is lacking in information (or, I can't
    find it at least), so, does anyone have a nugget of wisdom for me?

    Disabling NAT or placing the server in a DMZ is not really an option.


    /Peter

  2. Re: FortiGate FG60 and outbound NAT

    Hello Peter,

    > I have tried setting up a Firewall policy, which is using NAT and the
    > Fixed Port setting (Without an IP Pool though), but I am not sure that
    > I have done it correctly


    This is the right way to do this. But there are some limitations with this
    solution. In order to maintain strict source-port policy you need a pool.

    If you have enough outside IP addresses you can do a Virtual IP instead of
    strict NAT'ing.

    ---
    Helge Olav Helgesen
    http://www.helge.net



  3. Re: FortiGate FG60 and outbound NAT

    Hello Peter,

    > which is using NAT and the Fixed Port setting


    I found this in the online documentation in the firewall:
    Some network configurations do not operate correctly if a NAT policy translates
    the source port of packets used by the connection. NAT translates source
    ports to keep track of connections for a particular service. Select fixed
    port for NAT policies to prevent source port translation. However, selecting
    fixed port means that only one connection can be supported through the firewall
    for this service. To be able to support multiple connections, add an IP pool
    to the destination interface, and then select dynamic IP pool in the policy.
    The firewall randomly selects an IP address from the IP pool and assigns
    it to each connection. In this case the number of connections that the firewall
    can support is limited by the number of IP addresses in the IP pool.
    ---
    Helge Olav Helgesen
    http://www.helge.net



+ Reply to Thread