Fortigate Port Restricted
## Dynamic source NAT without changing the source port (one-to-one source NAT)
# Problem
Some protocols or services will only function if they use a specific source port, or a source port that does not change. Normally source NAT changes the source port to allow multiple simultaneous sessions.
# Solution
You can select the fixed port option to restrict the FortiGate unit to not translate the source port. This results in a one-to-one NAT configuration. One-to-one NAT limits the number of simultaneous sessions that are supported because one variable for tracking sessions (the source port number) is no longer available. To allow more sessions, one-to-one NAT is normally used with multiple external IPs added to an IP pool.
In this example, you enable one-to-one NAT by enabling the fixed port option in a security policy and adding an IP pool containing three IP addresses: 172.20.120.[13-15]. The fixed port option is enabled from the CLI so this entire example is configured from the CLI.
1 Enter the following command to add the IP pool:
config firewall ippool
edit Dynamic-Source
set startip 172.20.120.13
set endip 172.20.120.15
end
2 Enter the following command to add a security policy that allows users on the private network to access the Internet.
config firewall policy
edit 0
set srcintf internal
set srcaddr all
set dstintf wan1
set dstaddr all
set schedule always
set service ANY
set action accept
set nat enable
set fixedport enable
set ippool enable
set poolname Dynamic-Source
end
If you edit this policy from the web‑based manager, you will notice that the Fixed Port option is visible and is selected.
'업무이야기 > Security' 카테고리의 다른 글
| Juniper Firewall DHCP Server Configuration (0) | 2013.03.10 |
|---|---|
| Fortigate IPS DoS configuration Sample (0) | 2013.03.10 |
| Resetting a lost Fortigate Admin Password (1) | 2012.11.07 |
| FortiOS 5.0 Enhancement Summary (0) | 2012.10.23 |
| Introducing FortiOS 5.0 - More Security, More Control, More Intelligence (0) | 2012.10.23 |