Fortinet black logo

Handbook

IP / netmask addresses

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:736325
Download PDF

The subnet type of address is expressed using a host address and a subnet mask. From a strictly mathematical stand point this is the most flexible of the types because the address can refer to as little one individual address or as many as all of the available addresses.

It is usually used when referring to your own internal addresses because you know what they are and they are usually administered in groups that are nicely differentiated along the lines of the old A, B, and C classes of IPv4 addresses. They are also addresses that are not likely to change with the changing of Internet Service Providers (ISP).

When representing hosts by an IP address with a netmask, the IP address can represent one or more hosts. For example, a firewall address can be:

  • A single host such as a single computer with the address 192.45.46.45
  • A range of hosts such as all of the hosts on the subnet 192.45.46.1 to 192.45.46.255
  • All hosts, represented by 0.0.0.0 which matches any IP address

The netmask corresponds to the subnet class of the address being added, and can be represented in either dotted decimal or CIDR format. The FortiGate unit automatically converts CIDR formatted netmasks to dotted decimal format. Example formats:

  • Netmask for a class A subnet of 16,777,214 usable addresses: 255.0.0.0, or /8
  • Netmask for a class B subnet of 65,534 usable addresses: 255.255.0.0, or /16
  • Netmask for a class C subnet of 254 usable addresses: 255.255.255.0, or /24
  • Netmask for subnetted class C of 126 usable addresses: 255.255.255.128, or /25
  • Netmask for a class C subnet of 254 usable addresses: 255.255.255.0, or /24
  • Netmask for subnetted class C of 126 usable addresses: 255.255.255.128, or /25
  • Netmask for subnetted class C of 62 usable addresses: 255.255.255.192, or /26
  • Netmask for subnetted class C of 30 usable addresses: 255.255.255.224, or /27
  • Netmask for subnetted class C of 14 usable addresses: 255.255.255.240, or /28
  • Netmask for subnetted class C of 6 usable addresses: 255.255.255.248, or /29
  • Netmask for subnetted class C of 2 usable addresses: 255.255.255.252, or /30
  • Netmask for a single computer: 255.255.255.255, or /32

So for a single host or subnet the valid format of IP address and netmask could be either:

x.x.x.x/x.x.x.x, such as 192.168.1.0/255.255.255.0

or

x.x.x.x/x, such as 192.168.1.0/24

Static route configuration

A setting that is found in the IP/Netmask address type that is not found in the other address types is the enabling or disabling of Static Route Configuration. Enabling this feature includes the address in the listing of named addresses when setting up a static route.

To use in the GUI
  1. Enable the Static Route Configuration in the address.
  2. Go to Network > Static Routes and create a new route.
  3. For a Destination type, choose Named Address.
  4. Using the drop down menu, enter the name of the address object in the field just underneath the Destination type options.
  5. Fill out the other information relevant to the route
  6. Select the OK button
To enable in the CLI:

config firewall address

edit <address_name>

set allow-routing enable

end

Creating a subnet address

  1. Go to Policy & Objects > Addresses.
  2. Select Create New. A drop down menu is displayed. Select Address.
  3. In the Category field, chose Address. (This is for IPv4 addresses.)
  4. Input a Namefor the address object.
  5. In the Type field, select IP/Netmask from the drop down menu.
  6. In the Subnet/IP Range field, enter the address and subnet mask according to the format x.x.x.x/x.x.x.x or the short hand format of x.x.x.x/x
  7. In the Interface field, leave as the default any or select a specific interface from the drop down menu.
  8. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.
  9. Select the desired on/off toggle setting for Static Route Configuration.
  10. Input any additional information in the Comments field.
  11. Press OK.

Example

Example of a Subnet address for a database server on the DMZ:

Field Value
Category Address
Name DB_server_1
Type IP/Netmask
Subnet/IP Range United States
Interface any
Show in Address List [on]
Static Route Configuration [off]
Comments

The subnet type of address is expressed using a host address and a subnet mask. From a strictly mathematical stand point this is the most flexible of the types because the address can refer to as little one individual address or as many as all of the available addresses.

It is usually used when referring to your own internal addresses because you know what they are and they are usually administered in groups that are nicely differentiated along the lines of the old A, B, and C classes of IPv4 addresses. They are also addresses that are not likely to change with the changing of Internet Service Providers (ISP).

When representing hosts by an IP address with a netmask, the IP address can represent one or more hosts. For example, a firewall address can be:

  • A single host such as a single computer with the address 192.45.46.45
  • A range of hosts such as all of the hosts on the subnet 192.45.46.1 to 192.45.46.255
  • All hosts, represented by 0.0.0.0 which matches any IP address

The netmask corresponds to the subnet class of the address being added, and can be represented in either dotted decimal or CIDR format. The FortiGate unit automatically converts CIDR formatted netmasks to dotted decimal format. Example formats:

  • Netmask for a class A subnet of 16,777,214 usable addresses: 255.0.0.0, or /8
  • Netmask for a class B subnet of 65,534 usable addresses: 255.255.0.0, or /16
  • Netmask for a class C subnet of 254 usable addresses: 255.255.255.0, or /24
  • Netmask for subnetted class C of 126 usable addresses: 255.255.255.128, or /25
  • Netmask for a class C subnet of 254 usable addresses: 255.255.255.0, or /24
  • Netmask for subnetted class C of 126 usable addresses: 255.255.255.128, or /25
  • Netmask for subnetted class C of 62 usable addresses: 255.255.255.192, or /26
  • Netmask for subnetted class C of 30 usable addresses: 255.255.255.224, or /27
  • Netmask for subnetted class C of 14 usable addresses: 255.255.255.240, or /28
  • Netmask for subnetted class C of 6 usable addresses: 255.255.255.248, or /29
  • Netmask for subnetted class C of 2 usable addresses: 255.255.255.252, or /30
  • Netmask for a single computer: 255.255.255.255, or /32

So for a single host or subnet the valid format of IP address and netmask could be either:

x.x.x.x/x.x.x.x, such as 192.168.1.0/255.255.255.0

or

x.x.x.x/x, such as 192.168.1.0/24

Static route configuration

A setting that is found in the IP/Netmask address type that is not found in the other address types is the enabling or disabling of Static Route Configuration. Enabling this feature includes the address in the listing of named addresses when setting up a static route.

To use in the GUI
  1. Enable the Static Route Configuration in the address.
  2. Go to Network > Static Routes and create a new route.
  3. For a Destination type, choose Named Address.
  4. Using the drop down menu, enter the name of the address object in the field just underneath the Destination type options.
  5. Fill out the other information relevant to the route
  6. Select the OK button
To enable in the CLI:

config firewall address

edit <address_name>

set allow-routing enable

end

Creating a subnet address

  1. Go to Policy & Objects > Addresses.
  2. Select Create New. A drop down menu is displayed. Select Address.
  3. In the Category field, chose Address. (This is for IPv4 addresses.)
  4. Input a Namefor the address object.
  5. In the Type field, select IP/Netmask from the drop down menu.
  6. In the Subnet/IP Range field, enter the address and subnet mask according to the format x.x.x.x/x.x.x.x or the short hand format of x.x.x.x/x
  7. In the Interface field, leave as the default any or select a specific interface from the drop down menu.
  8. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.
  9. Select the desired on/off toggle setting for Static Route Configuration.
  10. Input any additional information in the Comments field.
  11. Press OK.

Example

Example of a Subnet address for a database server on the DMZ:

Field Value
Category Address
Name DB_server_1
Type IP/Netmask
Subnet/IP Range United States
Interface any
Show in Address List [on]
Static Route Configuration [off]
Comments