Fortinet black logo

CLI Reference

firewall {policy46 | policy64}

firewall {policy46 | policy64}

Use this command to configure IPv6 <-> IPv4 policies.

  • Use config firewall policy46 for IPv4-to-IPv6 policies
  • Use config firewall policy64 for IPv6-to-IPv4 policies

Each policy has a Universally Unique IDentifier (UUID) that is automatically assigned. To view it, use the command get firewall policy46 or get firewall policy64 and look for the uuid field.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set ippool {enable | disable}

set poolname <name>

Enable or disable the use of IP pools for NAT46 policies.

config firewall policy46
    edit {policyid}
    # Configure IPv4 to IPv6 policies.
        set permit-any-host {enable | disable}   Enable/disable allowing any host.
        set policyid {integer}   Policy ID. range[0-4294967294]
        set uuid {uuid}   Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
        set srcintf {string}   Source interface name. size[35] - datasource(s): system.zone.name,system.interface.name
        set dstintf {string}   Destination interface name. size[35] - datasource(s): system.interface.name,system.zone.name
        config srcaddr
            edit {name}
            # Source address objects.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        config dstaddr
            edit {name}
            # Destination address objects.
                set name {string}   Address name. size[64] - datasource(s): firewall.vip46.name,firewall.vipgrp46.name
            next
        set action {accept | deny}   Accept or deny traffic matching the policy.
                accept  Accept matching traffic.
                deny    Deny matching traffic.
        set status {enable | disable}   Enable/disable this policy.
        set schedule {string}   Schedule name. size[35] - datasource(s): firewall.schedule.onetime.name,firewall.schedule.recurring.name,firewall.schedule.group.name
        config service
            edit {name}
            # Service name.
                set name {string}   Service name. size[64] - datasource(s): firewall.service.custom.name,firewall.service.group.name
            next
        set logtraffic {enable | disable}   Enable/disable traffic logging for this policy.
        set traffic-shaper {string}   Traffic shaper. size[35] - datasource(s): firewall.shaper.traffic-shaper.name
        set traffic-shaper-reverse {string}   Reverse traffic shaper. size[35] - datasource(s): firewall.shaper.traffic-shaper.name
        set per-ip-shaper {string}   Per IP traffic shaper. size[35] - datasource(s): firewall.shaper.per-ip-shaper.name
        set fixedport {enable | disable}   Enable/disable fixed port for this policy.
        set tcp-mss-sender {integer}   TCP Maximum Segment Size value of sender (0 - 65535, default = 0). range[0-65535]
        set tcp-mss-receiver {integer}   TCP Maximum Segment Size value of receiver (0 - 65535, default = 0) range[0-65535]
        set comments {string}   Comment. size[1023]
        set ippool {enable | disable}   Enable/disable use of IP Pools for source NAT.
        config poolname
            edit {name}
            # IP Pool names.
                set name {string}   IP pool name. size[64] - datasource(s): firewall.ippool6.name
            next
    next
end
config firewall policy64
    edit {policyid}
    # Configure IPv6 to IPv4 policies.
        set policyid {integer}   Policy ID. range[0-4294967294]
        set uuid {uuid}   Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
        set srcintf {string}   Source interface name. size[35] - datasource(s): system.zone.name,system.interface.name
        set dstintf {string}   Destination interface name. size[35] - datasource(s): system.interface.name,system.zone.name
        config srcaddr
            edit {name}
            # Source address name.
                set name {string}   Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
            next
        config dstaddr
            edit {name}
            # Destination address name.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name,firewall.vip64.name,firewall.vipgrp64.name
            next
        set action {accept | deny}   Policy action.
                accept  Action accept.
                deny    Action deny.
        set status {enable | disable}   Enable/disable policy status.
        set schedule {string}   Schedule name. size[35] - datasource(s): firewall.schedule.onetime.name,firewall.schedule.recurring.name,firewall.schedule.group.name
        config service
            edit {name}
            # Service name.
                set name {string}   Address name. size[64] - datasource(s): firewall.service.custom.name,firewall.service.group.name
            next
        set logtraffic {enable | disable}   Enable/disable policy log traffic.
        set permit-any-host {enable | disable}   Enable/disable permit any host in.
        set traffic-shaper {string}   Traffic shaper. size[35] - datasource(s): firewall.shaper.traffic-shaper.name
        set traffic-shaper-reverse {string}   Reverse traffic shaper. size[35] - datasource(s): firewall.shaper.traffic-shaper.name
        set per-ip-shaper {string}   Per-IP traffic shaper. size[35] - datasource(s): firewall.shaper.per-ip-shaper.name
        set fixedport {enable | disable}   Enable/disable policy fixed port.
        set ippool {enable | disable}   Enable/disable policy64 IP pool.
        config poolname
            edit {name}
            # Policy IP pool names.
                set name {string}   IP pool name. size[64] - datasource(s): firewall.ippool.name
            next
        set tcp-mss-sender {integer}   TCP MSS value of sender. range[0-65535]
        set tcp-mss-receiver {integer}   TCP MSS value of receiver. range[0-65535]
        set comments {string}   Comment. size[1023]
    next
end

Additional information

The following section is for those options that require additional explanation.

firewall {policy46 | policy64}

Use this command to configure IPv6 <-> IPv4 policies.

  • Use config firewall policy46 for IPv4-to-IPv6 policies
  • Use config firewall policy64 for IPv6-to-IPv4 policies

Each policy has a Universally Unique IDentifier (UUID) that is automatically assigned. To view it, use the command get firewall policy46 or get firewall policy64 and look for the uuid field.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set ippool {enable | disable}

set poolname <name>

Enable or disable the use of IP pools for NAT46 policies.

config firewall policy46
    edit {policyid}
    # Configure IPv4 to IPv6 policies.
        set permit-any-host {enable | disable}   Enable/disable allowing any host.
        set policyid {integer}   Policy ID. range[0-4294967294]
        set uuid {uuid}   Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
        set srcintf {string}   Source interface name. size[35] - datasource(s): system.zone.name,system.interface.name
        set dstintf {string}   Destination interface name. size[35] - datasource(s): system.interface.name,system.zone.name
        config srcaddr
            edit {name}
            # Source address objects.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        config dstaddr
            edit {name}
            # Destination address objects.
                set name {string}   Address name. size[64] - datasource(s): firewall.vip46.name,firewall.vipgrp46.name
            next
        set action {accept | deny}   Accept or deny traffic matching the policy.
                accept  Accept matching traffic.
                deny    Deny matching traffic.
        set status {enable | disable}   Enable/disable this policy.
        set schedule {string}   Schedule name. size[35] - datasource(s): firewall.schedule.onetime.name,firewall.schedule.recurring.name,firewall.schedule.group.name
        config service
            edit {name}
            # Service name.
                set name {string}   Service name. size[64] - datasource(s): firewall.service.custom.name,firewall.service.group.name
            next
        set logtraffic {enable | disable}   Enable/disable traffic logging for this policy.
        set traffic-shaper {string}   Traffic shaper. size[35] - datasource(s): firewall.shaper.traffic-shaper.name
        set traffic-shaper-reverse {string}   Reverse traffic shaper. size[35] - datasource(s): firewall.shaper.traffic-shaper.name
        set per-ip-shaper {string}   Per IP traffic shaper. size[35] - datasource(s): firewall.shaper.per-ip-shaper.name
        set fixedport {enable | disable}   Enable/disable fixed port for this policy.
        set tcp-mss-sender {integer}   TCP Maximum Segment Size value of sender (0 - 65535, default = 0). range[0-65535]
        set tcp-mss-receiver {integer}   TCP Maximum Segment Size value of receiver (0 - 65535, default = 0) range[0-65535]
        set comments {string}   Comment. size[1023]
        set ippool {enable | disable}   Enable/disable use of IP Pools for source NAT.
        config poolname
            edit {name}
            # IP Pool names.
                set name {string}   IP pool name. size[64] - datasource(s): firewall.ippool6.name
            next
    next
end
config firewall policy64
    edit {policyid}
    # Configure IPv6 to IPv4 policies.
        set policyid {integer}   Policy ID. range[0-4294967294]
        set uuid {uuid}   Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
        set srcintf {string}   Source interface name. size[35] - datasource(s): system.zone.name,system.interface.name
        set dstintf {string}   Destination interface name. size[35] - datasource(s): system.interface.name,system.zone.name
        config srcaddr
            edit {name}
            # Source address name.
                set name {string}   Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
            next
        config dstaddr
            edit {name}
            # Destination address name.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name,firewall.vip64.name,firewall.vipgrp64.name
            next
        set action {accept | deny}   Policy action.
                accept  Action accept.
                deny    Action deny.
        set status {enable | disable}   Enable/disable policy status.
        set schedule {string}   Schedule name. size[35] - datasource(s): firewall.schedule.onetime.name,firewall.schedule.recurring.name,firewall.schedule.group.name
        config service
            edit {name}
            # Service name.
                set name {string}   Address name. size[64] - datasource(s): firewall.service.custom.name,firewall.service.group.name
            next
        set logtraffic {enable | disable}   Enable/disable policy log traffic.
        set permit-any-host {enable | disable}   Enable/disable permit any host in.
        set traffic-shaper {string}   Traffic shaper. size[35] - datasource(s): firewall.shaper.traffic-shaper.name
        set traffic-shaper-reverse {string}   Reverse traffic shaper. size[35] - datasource(s): firewall.shaper.traffic-shaper.name
        set per-ip-shaper {string}   Per-IP traffic shaper. size[35] - datasource(s): firewall.shaper.per-ip-shaper.name
        set fixedport {enable | disable}   Enable/disable policy fixed port.
        set ippool {enable | disable}   Enable/disable policy64 IP pool.
        config poolname
            edit {name}
            # Policy IP pool names.
                set name {string}   IP pool name. size[64] - datasource(s): firewall.ippool.name
            next
        set tcp-mss-sender {integer}   TCP MSS value of sender. range[0-65535]
        set tcp-mss-receiver {integer}   TCP MSS value of receiver. range[0-65535]
        set comments {string}   Comment. size[1023]
    next
end

Additional information

The following section is for those options that require additional explanation.