firewall {address | address6}
Use this command to configure firewall addresses used in firewall policies. An IPv4 firewall address is a set of one or more IP addresses, represented as a domain name, an IP address and a subnet mask, or an IP address range. An IPv6 firewall address is an IPv6 address prefix. Addresses, address groups, and virtual IPs must have unique names to avoid confusion in firewall policies. If an address is selected in a policy, it cannot be deleted until it is deselected from the policy.
History
The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.
| Command | Description |
|---|---|
|
config firewall address6 edit <name> set type {template | ...} set template <ipv6-template> set host-type {any | specific} set host <ipv6-addr> config subnet-segment ... |
New Note that the Also note that |
|
config firewall address6 edit <name> set type {fqdn | ...} set cache-ttl <seconds> |
New Note that |
config firewall address
edit {name}
# Configure IPv4 addresses.
set name {string} Address name. size[63]
set uuid {uuid} Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
set subnet {ipv4 classnet any} IP address and subnet mask of address.
set type {option} Type of address.
ipmask Standard IPv4 address with subnet mask.
iprange Range of IPv4 addresses between two specified addresses (inclusive).
fqdn Fully Qualified Domain Name address.
geography IP addresses from a specified country.
wildcard Standard IPv4 using a wildcard subnet mask.
wildcard-fqdn Fully Qualified Domain Name with wildcard characters.
dynamic Dynamic address object for SDN.
set start-ip {ipv4 address any} First IP address (inclusive) in the range for the address.
set end-ip {ipv4 address any} Final IP address (inclusive) in the range for the address.
set fqdn {string} Fully Qualified Domain Name address. size[255]
set country {string} IP addresses associated to a specific country. size[2]
set wildcard-fqdn {string} Fully Qualified Domain Name with wildcard characters. size[255]
set cache-ttl {integer} Defines the minimal TTL of individual IP addresses in FQDN cache measured in seconds. range[0-86400]
set wildcard {ipv4 classnet any} IP address and wildcard netmask.
set sdn {option} SDN.
aci Application Centric Infrastructure.
aws Amazon Web Services.
azure Microsoft Azure.
gcp Google Cloud Platform.
nsx VMware NSX.
nuage Nuage Virtualized Services Platform.
oci Oracle Cloud Infrastructure.
openstack OpenStack.
set tenant {string} Tenant. size[35]
set organization {string} Organization domain name (Syntax: organization/domain). size[35]
set epg-name {string} Endpoint group name. size[255]
set subnet-name {string} Subnet name. size[255]
set sdn-tag {string} SDN Tag. size[15]
set policy-group {string} Policy group name. size[15]
set comment {string} Comment. size[255]
set visibility {enable | disable} Enable/disable address visibility in the GUI.
set associated-interface {string} Network interface associated with address. size[35] - datasource(s): system.interface.name,system.zone.name
set color {integer} Color of icon on the GUI. range[0-32]
set filter {string} Match criteria filter. size[255]
set obj-id {string} Object ID for NSX. size[255]
config list
edit {ip}
# IP address list.
set ip {string} IP. size[35]
next
config tagging
edit {name}
# Config object tagging.
set name {string} Tagging entry name. size[63]
set category {string} Tag category. size[63] - datasource(s): system.object-tagging.category
config tags
edit {name}
# Tags.
set name {string} Tag name. size[64] - datasource(s): system.object-tagging.tags.name
next
next
set allow-routing {enable | disable} Enable/disable use of this address in the static route configuration.
next
end
config firewall address6
edit {name}
# Configure IPv6 firewall addresses.
set name {string} Address name. size[63]
set uuid {uuid} Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
set type {option} Type of IPv6 address object (default = ipprefix).
ipprefix Uses the IP prefix to define a range of IPv6 addresses.
iprange Range of IPv6 addresses between two specified addresses (inclusive).
fqdn Fully qualified domain name.
dynamic Dynamic address object for SDN.
template Template.
set sdn {nsx} SDN.
nsx VMware NSX.
set ip6 {ipv6 network} IPv6 address prefix (format: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx).
set start-ip {ipv6 address} First IP address (inclusive) in the range for the address (format: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx).
set end-ip {ipv6 address} Final IP address (inclusive) in the range for the address (format: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx).
set fqdn {string} Fully qualified domain name. size[255]
set cache-ttl {integer} Minimal TTL of individual IPv6 addresses in FQDN cache. range[0-86400]
set visibility {enable | disable} Enable/disable the visibility of the object in the GUI.
set color {integer} Integer value to determine the color of the icon in the GUI (range 1 to 32, default = 0, which sets the value to 1). range[0-32]
set obj-id {string} Object ID for NSX. size[255]
config list
edit {ip}
# IP address list.
set ip {string} IP. size[89]
next
config tagging
edit {name}
# Config object tagging
set name {string} Tagging entry name. size[63]
set category {string} Tag category. size[63] - datasource(s): system.object-tagging.category
config tags
edit {name}
# Tags.
set name {string} Tag name. size[64] - datasource(s): system.object-tagging.tags.name
next
next
set comment {string} Comment. size[255]
set template {string} IPv6 address template. size[63] - datasource(s): firewall.address6-template.name
config subnet-segment
edit {name}
# IPv6 subnet segments.
set name {string} Name. size[63]
set type {any | specific} Subnet segment type.
any Wildcard.
specific Specific subnet segment address.
set value {string} Subnet segment value. size[35]
next
set host-type {any | specific} Host type.
any Wildcard.
specific Specific host address.
set host {ipv6 address} Host Address.
next
end
Additional information
The following section is for those options that require additional explanation.
Syntax
config firewall {address | address6}
{edit|delete|rename|get|show} <name_str>
Managing objects
Some commands such as this center around the management and configuration of programming objects that are discrete chunks of information that are intended to be consistent for the purpose of being used by other processes within the software. These objects are used so that by changing the settings of the object, that information is changed throughout the software where-ever it is used. In reality, these objects are a number of values in the row of a table in the software, but it is simpler to think of them as a self-contained objects.
The configuration of settings within the individual objects is the most common activity in the configuration process, but there is also a need to manage the objects as a whole and there are some commands that are used for that purpose.
Depending on which configuration command you are using these are some of the object management commands that will be available to you (not all options will be available for all objects):
edit
This command is used to select or create an individual object for the purpose of configuring or editing setting values.
Some objects use a string of characters and others use an ID number, where the number is an integer. To know which identification type is being used, check the listing of options above. If the option refers to a variable with ID in the name or the value type is designated as "{ integer }", it uses an ID number. If the variable used is along the lines of "{ name }" or the value type is designated as "{ string }", it will have a name that you can enter.
{ string }
To get a list of all of the existing objects, type the command:
edit ?
If you are creating a new object, just type the name you wish to used after the edit command. If there are spaces in the name, use quotation marks.
{ integer } or ID #
When creating a new object with an ID #, you can use the command:
edit 0
The system will automatically give the new object an ID # of the next available number.
delete
This command is used to delete an existing object.
delete <object name> or <object ID #>
- The <address_name> can be a string of up to 64 characters.
purge
Used delete all of the existing objects for this type of configuration object. It deletes all of the values within the table that holds the information about these objects within the VDOM.
- There are no options, parameters or qualifiers. Just use the enter key after entering the command
- This command has a serious impact. Use cautiously.
move
Some objects, usually those that are policies or similar in function, are handled in a sequential process so there order is important. The move command is used to change the sequence of these objects in relation to each other. The syntax for this command is:
move <id#> [before|after] <id#>
The command is essential a sentence stating move one object before or after another.
rename
Used to change the name of the object.
rename <name of object> to <new name of object>
show
This command will show the non-default contents of all the objects of this type. IPv4 and IPv6 versions of the type are treated separately.
The command show full-configuration will give you an output of all the current settings reqardless of whether the values are default or not.
name
This field is a unique name given to represent the address object. This setting is for both IPv4 and IPv6. This setting is first defined when using the edit command to edit an address object that does not currently exist. This setting is available for both address and address6.
The name field of an address object cannot be changed from within the object. It can be changed by using the rename command in the config firewall address or config firewall address6 context.
uuid
Each object has a Universally Unique Identifier (UUID) that is automatically assigned. It is a 128 bit value written in hexadecimal. It can be edited.
This setting is available for both address and address6.
Syntax:
set uuid <uuid>
Default value: autogenerated
Example:
config firewall address edit example.com set uuid d38e0dca-b80c-51e6-1180-6863e1b9ea9a end
subnet
The IP address and subnet mask of the address. By using different subnet masks a single IP address can be defined or a group of addresses. This setting is only available for address.
This option is available only if the type option is set to ipmask.
Syntax:
set subnet <ipv4-classnet-any>
Default value: 0.0.0.0 0.0.0.0
Example:
config firewall address
edit example.com
set type ipmask
set subnet 192.168.1.1 255.255.255.255
or ...
set subnet 192.168.1.1/32
end
type
This field sets the type of address object. There are two sets of types for addresses. The first is for IPv4 addresses the second is for IPv6.
IPv4 types
ipmask- a standard IPv4 address with subnet maskiprange- a range of IPv4 addresses between two specified addresses (inclusive).fqdn- a Fully Qualified Domain Name addressgeography- IP addresses from a specified countrywildcard- a standard IPv4 using a wildcard subnet maskwildcard-fqdn- a Fully Qualified Domain Name with wildcard characters
IPv6 types
ipprefix- uses the IP prefix to define a range of IPv6 addressesiprange- a range of IPv6 addresses between two specified addresses (inclusive).
Syntax:
set type {ipmask | iprange | fqdn | geography | wildcard | wildcard-fqdn}
Default value: ipmask
or
set type {ipprefix | iprange}
Default value: ipprefix
Example:
config firewall address edit example.com set type ipmask end
ip6
This is for the IPv6 address prefix.
This setting is only available for address6.
Syntax:
set ip6 <ipv6-network>
Default value: ::/0
Example:
config firewall address6 edit example.com set ip6 2001:db8:a0b:12f0::1/64 end
start-ip
The first IP address (inclusive) in the range for the address. This setting is available for both address and address6.
This option is available only if the type option is set to iprange.
Syntax:
set start-ip <ipv4-address-any>
Default value: 0.0.0.0 0.0.0.0
or
set start-ip <ipv6-address>
Default value: ::
Example:
config firewall address
edit example.com
set type iprange
set start-ip 192.168.1.43
or ...
config firewall address6
edit example.com
set type iprange
set start-ip 2001:db8:a0b:12f0::1
end-ip
The final IP address (inclusive) in the range for the address. This setting is available for both address and address6.
This option is available only if the type option is set to iprange.
Syntax:
set end-ip <ipv4-address-any>
Default value: 0.0.0.0 0.0.0.0
or
set end-ip <ipv6-address>
Default value: ::
Example:
config firewall address
edit example.com
set type iprange
set end-ip 192.168.1.201
or ...
config firewall address6
edit example.com
set type iprange
set end-ip 2001:db8:a0b:12f0::89
fqdn
This setting defines a Fully qualified domain name which is normally translated to an IP address by a DNS server. This setting is only available for address.
This option is available only if the type option is set to fqdn.
Syntax:
set fqdn <string>
Example:
config firewall address edit example.com set type fqdn set fqdn example.com end
country
This field is used to set the country and all of its IP addresses. This setting is only available for address.
This option is available only if the type option is set to geography.
The options in this field are 2 character country code that represent different countries or other options. To get a listing type the command set country ?.
Syntax:
set country <2 character string>
Example:
config firewall address edit example.com set type geography set country US end
wildcard-fqdn
A Fully Qualified Domain Name, but using wildcard symbols in place of some of the characters. This setting is only available for address.
This option is available only if the type option is set to wildcard-fqdn.
Syntax:
set wildcard-fqdn <string>
Example:
config firewall address edit example.com set wildcard-fqdn *.example.com end
cache-ttl
This setting defines the minimal TTL (time to live) of individual IP addresses in FQDN cache. The TTL is measured in seconds. This setting is only available for address.
This option is available only if the type option is set to fqdn.
Syntax:
set cache-ttl <integer>
Default value: 0
Example:
config firewall address edit example.com set cache-ttl 3600
wildcard
This setting defines an IP address and a wildcard netmask. This setting is only available for address.
This option is available only if the type option is set to wildcard.
Syntax:
set wildcard <ipv4-classnet-any>
Default value: 0.0.0.0 0.0.0.0
Example:
config firewall address edit example.com set wildcard 192.168.0.0 255.255.0.64 end
comment
Field used to store descriptive information about the address.
The field is limited to 63 characters. Enclose the string in single quotes to enter special characters or spaces. This setting is available for both address and address6.
Syntax:
set comment <var-string>
Example:
config firewall address edit example.com set comment "Address for the Example Company website" end
visibility
Enables or disables the ability to see the address in the GUI. This setting is available for both address and address6.
Syntax:
set visibility {enable | disable}
Default value: enable
Example:
config firewall address edit example.com set visibility disable end
associated-interface
Use this option to associate the address to a specific interface on the FortiGate. The address will only be available for selection if the associated interface is associated to the policy. The option to choose any interface is also available. This setting is only available for address.
Syntax:
set associated-interface <string>
Example:
config firewall address edit example.com set associated-interface wan1 end
color
This setting determines the color of the icon in the GUI. There are 32 defined colors numbered 1 to 32. 0 will set the color to default which is color number 1.
This setting is available for both address and address6.
Syntax:
set color <integer>
Default value: 0
Example:
config firewall address edit example.com set color 15 end
tags
Used to assign a custom tag to the address object. The tags need to be preconfigured in config system object-tagging and the same list of tags can be used anywhere that the tag setting is available. To see what tags are available for use, use the command set tags ?.
Separate multiple values with a space.
Syntax:
{set|append|clear} tags <name_of_tag>
Example:
config system object-tagging edit example-tag1 next edit example-tag2 next edit "example tag 3" next end
This setting is available for both address and address6.
config firewall address
edit example.com
config tagging
edit example-tags
set tags example-tag1 example-tag2
append "example tag 3"
next
end
next
end
allow-routing
Enable/disable use of this address in the static route configuration. This setting is only available for address.
Syntax:
set allow-routing {enable | disable}
Default value: disable
Example:
config firewall address edit example.com set allow-routing enable end