Description
This article explains how fixed port can be set on firewall policy.
A TCP/IP connection is identified by a four element tuple:
- source IP.
- source port.
- destination IP.
- destination port.
To establish a TCP/IP connection only a destination IP and port number are needed, the operating system automatically selects source IP and port.
Scope
Fixed Port:
Some network configurations do not operate correctly if a NAT policy translates the source port of packets used by the connection. NAT translates source ports to keep track of connections for a particular service.
Randomly selects an IP address from the IP pool and assigns it to each connection.
Solution
From the CLI, enable fixedport when configuring a security policy for NAT policies to prevent source port translation.
config firewall policy
edit <ID>
set fixedport enable
end
However, enabling fixedport means that only one connection can be supported through the firewall for this service.
To be able to support multiple connections, add an IP pool, and then select Dynamic IP pool in the Firewall policy.
From GUI, Enable the option Preserve Source Port when configuring a security policy for NAT policies to prevent source port translation:
Verify the fixed port or preserve source port on IP-Pool:
diag firewall ippool list
list ippool info:(vf=root)
ippool 7.0: id=1, block-sz=60416, num-block=1, fixed-port=yes, use=2
Related Article:
