FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ymorohashi
Staff
Staff
Article Id 191370
Description
The related article "Technical Note: Source NAT port range has been changed on FortiOS firmware versions 4.2.9 and 4.3.2 (and later)" explains that a source port will be translated within the range from 5117 to 65532.

However, the following session info shows source info "210.20.0.1 UDP port1" is translated to "172.20.0.1 UDP port 512".  This port "512" is apparently out of the range:

session info: proto=17 proto_state=00 duration=75 expire=104 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 policy_dir=0 tunnel=/
state=may_dirty log-start acct-ext
statistic(bytes/packets/allow_err): org=28/1/0 reply=56/1/1 tuples=2
orgin->sink: org pre->post, reply pre->post dev=3->2/2->3 gwy=210.10.0.250/210.20.0.1
hook=post dir=org act=snat 210.20.0.1:1->210.10.0.250:80(172.20.0.1:512)
hook=pre dir=reply act=dnat 210.10.0.250:80->172.20.0.1:512(210.20.0.1:1)
misc=0 policy_id=2 id_policy_id=0 auth_info=0 chk_client_info=0 vd=1
serial=000142ea tos=ff/ff ips_view=0 app_list=0 app=0
dd_type=0 dd_mode=0
per_ip_bandwidth meter: addr=210.20.0.1, bps=182
total session 1


Solution
FortiOS has individual port ranges for well-known ports and high ports.
  • For well-known ports, the range is 512(0x0200) to 1022(0x03FE).
  • For high ports, 5117(0x13FD) to 65532(0xFFFC) will be used for translation.  

Related Articles

Technical Note: Source NAT port range has been changed on FortiOS firmware versions 4.2.9 and 4.3.2 ...

Contributors