본문 바로가기

업무이야기/Security

Fortigate Port Restricted

by 쫑콩아빠 2013. 3. 10.
728x90

Fortigate Port Restricted

 

## Dynamic source NAT without changing the source port (one-to-one source NAT)

 

# Problem

Some protocols or services will only function if they use a specific source port, or a source port that does not change. Normally source NAT changes the source port to allow multiple simultaneous sessions.

 

# Solution

You can select the fixed port option to restrict the FortiGate unit to not translate the source port. This results in a one-to-one NAT configuration. One-to-one NAT limits the number of simultaneous sessions that are supported because one variable for tracking sessions (the source port number) is no longer available. To allow more sessions, one-to-one NAT is normally used with multiple external IPs added to an IP pool.

In this example, you enable one-to-one NAT by enabling the fixed port option in a security policy and adding an IP pool containing three IP addresses: 172.20.120.[13-15]. The fixed port option is enabled from the CLI so this entire example is configured from the CLI.

 

1 Enter the following command to add the IP pool:

config firewall ippool

edit Dynamic-Source

set startip 172.20.120.13

set endip 172.20.120.15

end

 

2 Enter the following command to add a security policy that allows users on the private network to access the Internet.

config firewall policy

edit 0

set srcintf internal

set srcaddr all

set dstintf wan1

set dstaddr all

set schedule always

set service ANY

set action accept

set nat enable

set fixedport enable

set ippool enable

set poolname Dynamic-Source

end

 

If you edit this policy from the web‑based manager, you will notice that the Fixed Port option is visible and is selected.

 

 

728x90