firewall {ippool | ippool6}
Use the firewall ippool
command to configure IPv4 IP address pools.
Use the firewall ippool6
command to configure IPv6 IP address pools.
Use IP pools to add NAT policies that translate source addresses to addresses randomly selected from the IP pool, rather than the IP address assigned to that FortiOS™ unit interface. In Transparent mode, IP pools are available only from the FortiGate CLI.
An IP pool defines a single IP address or a range of IP addresses. A single IP address in an IP pool becomes a range of one IP address. For example, if you enter an IP pool as 1.1.1.1
the IP pool is actually the address range 1.1.1.1
to 1.1.1.1
.
If a FortiGate interface IP address overlaps with one or more IP pool address ranges, the interface responds to ARP requests for all of the IP addresses in the overlapping IP pools.
For example, consider a FortiGate unit with the following IP addresses for the port1 and port2 interfaces:
- port1 IP address:
1.1.1.1/255.255.255.0
(range is1.1.1.0-1.1.1.255
) - port2 IP address:
2.2.2.2/255.255.255.0
(range is2.2.2.0-2.2.2.255
)
And the following IP pools:
- IP_pool_1:
1.1.1.10-1.1.1.20
- IP_pool_2:
2.2.2.10-2.2.2.20
- IP_pool_3:
2.2.2.30-2.2.2.40
The port1 interface overlap IP range with IP_pool_1 is:
- (
1.1.1.0-1.1.1.255
) and (1.1.1.10-1.1.1.20
) =1.1.1.10-1.1.1.20
The port2 interface overlap IP range with IP_pool_2 is:
- (
2.2.2.0-2.2.2.255
) & (2.2.2.10-2.2.2.20
) =2.2.2.10-2.2.2.20
The port2 interface overlap IP range with IP_pool_3 is:
- (
2.2.2.0-2.2.2.255
) & (2.2.2.30-2.2.2.40
) =2.2.2.30-2.2.2.40
And the result is:
- The port1 interface answers ARP requests for
1.1.1.10-1.1.1.20
- The port2 interface answers ARP requests for
2.2.2.10-2.2.2.20
and for2.2.2.30-2.2.2.40
Select NAT in a firewall policy and then select Dynamic IP Pool and select an IP pool.
With dynamic PAT configuration, the FortiGate unit leaves the source port unchanged at first. If another device has already used that port, the FortiGate unit selects the source port randomly from the pool.
History
The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.
Command | Description |
---|---|
set pba-timeout <seconds> |
Configure port block allocation (PBA) timeout in seconds. Set the range between 3-300 (or three seconds to five minutes). The default is set to Note that |
config firewall ippool edit {name} # Configure IPv4 IP pools. set name {string} IP pool name. size[35] set type {overload | one-to-one | fixed-port-range | port-block-allocation} IP pool type (overload, one-to-one, fixed port range, or port block allocation). overload IP addresses in the IP pool can be shared by clients. one-to-one One to one mapping. fixed-port-range Fixed port range. port-block-allocation Port block allocation. set startip {ipv4 address any} First IPv4 address (inclusive) in the range for the address pool (format xxx.xxx.xxx.xxx, Default: 0.0.0.0). set endip {ipv4 address any} Final IPv4 address (inclusive) in the range for the address pool (format xxx.xxx.xxx.xxx, Default: 0.0.0.0). set source-startip {ipv4 address any} First IPv4 address (inclusive) in the range of the source addresses to be translated (format xxx.xxx.xxx.xxx, Default: 0.0.0.0). set source-endip {ipv4 address any} Final IPv4 address (inclusive) in the range of the source addresses to be translated (format xxx.xxx.xxx.xxx, Default: 0.0.0.0). set block-size {integer} Number of addresses in a block (64 to 4096, default = 128). range[64-4096] set num-blocks-per-user {integer} Number of addresses blocks that can be used by a user (1 to 128, default = 8). range[1-128] set pba-timeout {integer} Port block allocation timeout (seconds). range[3-300] set permit-any-host {disable | enable} Enable/disable full cone NAT. set arp-reply {disable | enable} Enable/disable replying to ARP requests when an IP Pool is added to a policy (default = enable). set arp-intf {string} Select an interface from available options that will reply to ARP requests. (If blank, any is selected). size[15] - datasource(s): system.interface.name set associated-interface {string} Associated interface name. size[15] - datasource(s): system.interface.name set comments {string} Comment. size[255] next end
config firewall ippool6 edit {name} # Configure IPv6 IP pools. set name {string} IPv6 IP pool name. size[35] set startip {ipv6 address} First IPv6 address (inclusive) in the range for the address pool (format xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx, Default: ::). set endip {ipv6 address} Final IPv6 address (inclusive) in the range for the address pool (format xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx, Default: ::). set comments {string} Comment. size[255] next end
Additional information
The following section is for those options that require additional explanation.