Fortinet black logo

CLI Reference

Home FortiGate / FortiOS 6.0.0 CLI Reference

firewall {ippool | ippool6}

6.0.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.0.0
5.6.0
5.4.0
5.2.0
5.0.0
Copy Link
Copy Doc ID c287b6bf-a995-11e9-81a4-00505692583a:438955
Download PDF

firewall {ippool | ippool6}

Use the firewall ippool command to configure IPv4 IP address pools.

Use the firewall ippool6 command to configure IPv6 IP address pools.

Use IP pools to add NAT policies that translate source addresses to addresses randomly selected from the IP pool, rather than the IP address assigned to that FortiOS™ unit interface. In Transparent mode, IP pools are available only from the FortiGate CLI.

An IP pool defines a single IP address or a range of IP addresses. A single IP address in an IP pool becomes a range of one IP address. For example, if you enter an IP pool as 1.1.1.1 the IP pool is actually the address range 1.1.1.1 to 1.1.1.1.

If a FortiGate interface IP address overlaps with one or more IP pool address ranges, the interface responds to ARP requests for all of the IP addresses in the overlapping IP pools.

For example, consider a FortiGate unit with the following IP addresses for the port1 and port2 interfaces:

  • port1 IP address: 1.1.1.1/255.255.255.0 (range is 1.1.1.0-1.1.1.255)
  • port2 IP address: 2.2.2.2/255.255.255.0 (range is 2.2.2.0-2.2.2.255)

And the following IP pools:

  • IP_pool_1: 1.1.1.10-1.1.1.20
  • IP_pool_2: 2.2.2.10-2.2.2.20
  • IP_pool_3: 2.2.2.30-2.2.2.40

The port1 interface overlap IP range with IP_pool_1 is:

  • (1.1.1.0-1.1.1.255) and (1.1.1.10-1.1.1.20) = 1.1.1.10-1.1.1.20

The port2 interface overlap IP range with IP_pool_2 is:

  • (2.2.2.0-2.2.2.255) & (2.2.2.10-2.2.2.20) = 2.2.2.10-2.2.2.20

The port2 interface overlap IP range with IP_pool_3 is:

  • (2.2.2.0-2.2.2.255) & (2.2.2.30-2.2.2.40) = 2.2.2.30-2.2.2.40

And the result is:

  • The port1 interface answers ARP requests for 1.1.1.10-1.1.1.20
  • The port2 interface answers ARP requests for 2.2.2.10-2.2.2.20 and for 2.2.2.30-2.2.2.40

Select NAT in a firewall policy and then select Dynamic IP Pool and select an IP pool.

With dynamic PAT configuration, the FortiGate unit leaves the source port unchanged at first. If another device has already used that port, the FortiGate unit selects the source port randomly from the pool.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set pba-timeout <seconds>

Configure port block allocation (PBA) timeout in seconds. Set the range between 3-300 (or three seconds to five minutes). The default is set to 30.

Note that pba-timeout is only available when type is set to port-block-allocation.

 
config firewall ippool
    edit {name}
    # Configure IPv4 IP pools.
        set name {string}   IP pool name. size[35]
        set type {overload | one-to-one | fixed-port-range | port-block-allocation}   IP pool type (overload, one-to-one, fixed port range, or port block allocation).
                overload               IP addresses in the IP pool can be shared by clients.
                one-to-one             One to one mapping.
                fixed-port-range       Fixed port range.
                port-block-allocation  Port block allocation.
        set startip {ipv4 address any}   First IPv4 address (inclusive) in the range for the address pool (format xxx.xxx.xxx.xxx, Default: 0.0.0.0).
        set endip {ipv4 address any}   Final IPv4 address (inclusive) in the range for the address pool (format xxx.xxx.xxx.xxx, Default: 0.0.0.0).
        set source-startip {ipv4 address any}    First IPv4 address (inclusive) in the range of the source addresses to be translated (format xxx.xxx.xxx.xxx, Default: 0.0.0.0).
        set source-endip {ipv4 address any}   Final IPv4 address (inclusive) in the range of the source addresses to be translated (format xxx.xxx.xxx.xxx, Default: 0.0.0.0).
        set block-size {integer}    Number of addresses in a block (64 to 4096, default = 128). range[64-4096]
        set num-blocks-per-user {integer}   Number of addresses blocks that can be used by a user (1 to 128, default = 8). range[1-128]
        set pba-timeout {integer}   Port block allocation timeout (seconds). range[3-300]
        set permit-any-host {disable | enable}   Enable/disable full cone NAT.
        set arp-reply {disable | enable}   Enable/disable replying to ARP requests when an IP Pool is added to a policy (default = enable).
        set arp-intf {string}   Select an interface from available options that will reply to ARP requests. (If blank, any is selected). size[15] - datasource(s): system.interface.name
        set associated-interface {string}   Associated interface name. size[15] - datasource(s): system.interface.name
        set comments {string}   Comment. size[255]
    next
end

config firewall ippool6
    edit {name}
    # Configure IPv6 IP pools.
        set name {string}   IPv6 IP pool name. size[35]
        set startip {ipv6 address}   First IPv6 address (inclusive) in the range for the address pool (format xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx, Default: ::).
        set endip {ipv6 address}   Final IPv6 address (inclusive) in the range for the address pool (format xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx, Default: ::).
        set comments {string}   Comment. size[255]
    next
end

Additional information

The following section is for those options that require additional explanation.

Previous
Next

firewall {ippool | ippool6}

Use the firewall ippool command to configure IPv4 IP address pools.

Use the firewall ippool6 command to configure IPv6 IP address pools.

Use IP pools to add NAT policies that translate source addresses to addresses randomly selected from the IP pool, rather than the IP address assigned to that FortiOS™ unit interface. In Transparent mode, IP pools are available only from the FortiGate CLI.

An IP pool defines a single IP address or a range of IP addresses. A single IP address in an IP pool becomes a range of one IP address. For example, if you enter an IP pool as 1.1.1.1 the IP pool is actually the address range 1.1.1.1 to 1.1.1.1.

If a FortiGate interface IP address overlaps with one or more IP pool address ranges, the interface responds to ARP requests for all of the IP addresses in the overlapping IP pools.

For example, consider a FortiGate unit with the following IP addresses for the port1 and port2 interfaces:

  • port1 IP address: 1.1.1.1/255.255.255.0 (range is 1.1.1.0-1.1.1.255)
  • port2 IP address: 2.2.2.2/255.255.255.0 (range is 2.2.2.0-2.2.2.255)

And the following IP pools:

  • IP_pool_1: 1.1.1.10-1.1.1.20
  • IP_pool_2: 2.2.2.10-2.2.2.20
  • IP_pool_3: 2.2.2.30-2.2.2.40

The port1 interface overlap IP range with IP_pool_1 is:

  • (1.1.1.0-1.1.1.255) and (1.1.1.10-1.1.1.20) = 1.1.1.10-1.1.1.20

The port2 interface overlap IP range with IP_pool_2 is:

  • (2.2.2.0-2.2.2.255) & (2.2.2.10-2.2.2.20) = 2.2.2.10-2.2.2.20

The port2 interface overlap IP range with IP_pool_3 is:

  • (2.2.2.0-2.2.2.255) & (2.2.2.30-2.2.2.40) = 2.2.2.30-2.2.2.40

And the result is:

  • The port1 interface answers ARP requests for 1.1.1.10-1.1.1.20
  • The port2 interface answers ARP requests for 2.2.2.10-2.2.2.20 and for 2.2.2.30-2.2.2.40

Select NAT in a firewall policy and then select Dynamic IP Pool and select an IP pool.

With dynamic PAT configuration, the FortiGate unit leaves the source port unchanged at first. If another device has already used that port, the FortiGate unit selects the source port randomly from the pool.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set pba-timeout <seconds>

Configure port block allocation (PBA) timeout in seconds. Set the range between 3-300 (or three seconds to five minutes). The default is set to 30.

Note that pba-timeout is only available when type is set to port-block-allocation.

 
config firewall ippool
    edit {name}
    # Configure IPv4 IP pools.
        set name {string}   IP pool name. size[35]
        set type {overload | one-to-one | fixed-port-range | port-block-allocation}   IP pool type (overload, one-to-one, fixed port range, or port block allocation).
                overload               IP addresses in the IP pool can be shared by clients.
                one-to-one             One to one mapping.
                fixed-port-range       Fixed port range.
                port-block-allocation  Port block allocation.
        set startip {ipv4 address any}   First IPv4 address (inclusive) in the range for the address pool (format xxx.xxx.xxx.xxx, Default: 0.0.0.0).
        set endip {ipv4 address any}   Final IPv4 address (inclusive) in the range for the address pool (format xxx.xxx.xxx.xxx, Default: 0.0.0.0).
        set source-startip {ipv4 address any}    First IPv4 address (inclusive) in the range of the source addresses to be translated (format xxx.xxx.xxx.xxx, Default: 0.0.0.0).
        set source-endip {ipv4 address any}   Final IPv4 address (inclusive) in the range of the source addresses to be translated (format xxx.xxx.xxx.xxx, Default: 0.0.0.0).
        set block-size {integer}    Number of addresses in a block (64 to 4096, default = 128). range[64-4096]
        set num-blocks-per-user {integer}   Number of addresses blocks that can be used by a user (1 to 128, default = 8). range[1-128]
        set pba-timeout {integer}   Port block allocation timeout (seconds). range[3-300]
        set permit-any-host {disable | enable}   Enable/disable full cone NAT.
        set arp-reply {disable | enable}   Enable/disable replying to ARP requests when an IP Pool is added to a policy (default = enable).
        set arp-intf {string}   Select an interface from available options that will reply to ARP requests. (If blank, any is selected). size[15] - datasource(s): system.interface.name
        set associated-interface {string}   Associated interface name. size[15] - datasource(s): system.interface.name
        set comments {string}   Comment. size[255]
    next
end

config firewall ippool6
    edit {name}
    # Configure IPv6 IP pools.
        set name {string}   IPv6 IP pool name. size[35]
        set startip {ipv6 address}   First IPv6 address (inclusive) in the range for the address pool (format xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx, Default: ::).
        set endip {ipv6 address}   Final IPv6 address (inclusive) in the range for the address pool (format xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx, Default: ::).
        set comments {string}   Comment. size[255]
    next
end

Additional information

The following section is for those options that require additional explanation.

Previous
Next