Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jhouvenaghel_FTNT
Staff
Staff

Created on ‎10-17-2016 03:51 AM

Article Id 196918

Technical Note: Source NAT port range in SLBC cluster

Description
The related KB articles give information about the source NAT port range used by FortiOS. For example, article FD38719 (Source NAT port range for well-known port) and FD34348 (Source NAT port range has been changed on FortiOS firmware versions 4.2.9 and 4.3.2 and later).

In the case of a SLBC cluster, the source NAT port range used by the cluster is different from that which is described in these articles for some original source ports.

Scope
Tests have been done with FortiGate running 5.2.3.

Solution
For the tests and results described below, the SLBC cluster is made of one Forticontroller 5913C (slot 1) and 3 FortiGate 5001D blades (slots 3, 4 and 5).

In the FortiController, the parameter nat-source-port is configured to running-slots.

If the original source port is above 1024 then the source NAT port will be in the range [5117, 65532].

More precisely:

- for slot 3 (ELBC master and configsync master blade) the source NAT port range will be [5117, 25253].
- for slot 4 the source NAT port range will be [25255, 45391].
- for slot 5 the source NAT port range will be [45393, 65532].

So far, this matches what is described in the other articles.

However, when the original source port is less than 1024 then the source NAT port range appears to be in the range [512, 1362], [20820, 21160] or [41127, 41297].

More precisely:

- for slot 3 (ELBC master and configsync master blade) the source NAT port range will be [512, 1022] and [20820, 21160].
- for slot 4 the source NAT port range will be [682, 1192] and [41127, 41297].
- for slot 5 the source NAT port range will be [852, 1362].

There is an exception to what is stated above: in the specific case where the original source port and original destination port are identical (both less than 1024), it was noted that the source NAT port was equal to original source port for a source port equal to 9 or to 123.

Related Articles

Technical Note: Source NAT port range for well-known port

Technical Note: Source NAT port range has been changed on FortiOS firmware versions 4.2.9 and 4.3.2 ...

Labels:
700
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.