router {prefix-list | prefix-list6}
Use this command to configure prefix lists, which are enhanced versions of an access list that allows you to control the length of the prefix netmask. Each rule in a prefix list consists of a prefix (IP address and netmask), the action to take for this prefix (permit or deny), and maximum and minimum prefix length settings. Use prefix-list
for IPv4 and prefix-list6
for IPv6.
The FortiGate attempts to match a packet against the rules in a prefix list starting at the top of the list. If it finds a match for the prefix it takes the action specified for that prefix. If no match is found the default action is deny. A prefix-list should be used to match the default route 0.0.0.0/0.
config router prefix-list edit {name} # Configure IPv4 prefix lists. set name {string} Name. size[35] set comments {string} Comment. size[127] config rule edit {id} # IPv4 prefix list rule. set id {integer} Rule ID. range[0-4294967295] set action {permit | deny} Permit or deny this IP address and netmask prefix. permit Allow or permit packets that match this rule. deny Deny packets that match this rule. set prefix {string} IPv4 prefix to define regular filter criteria, such as "any" or subnets. set ge {integer} Minimum prefix length to be matched (0 - 32). range[0-32] set le {integer} Maximum prefix length to be matched (0 - 32). range[0-32] set flags {integer} Flags. range[0-4294967295] next next end
config router prefix-list6 edit {name} # Configure IPv6 prefix lists. set name {string} Name. size[35] set comments {string} Comment. size[127] config rule edit {id} # IPv6 prefix list rule. set id {integer} Rule ID. range[0-4294967295] set action {permit | deny} Permit or deny packets that match this rule. permit Allow or permit packets that match this rule. deny Deny packets that match this rule. set prefix6 {string} IPv6 prefix to define regular filter criteria, such as "any" or subnets. set ge {integer} Minimum prefix length to be matched (0 - 128). range[0-128] set le {integer} Maximum prefix length to be matched (0 - 128). range[0-128] set flags {integer} Flags. range[0-4294967295] next next end
Additional information
The following section is for those options that require additional explanation.
ge {integer}
Match prefix lengths that are greater than or equal to this number (0 - 32, default = 0).
The setting for ge
should be less than the setting for le
and greater than the netmask set for prefix
.
le {length_integer}
Match prefix lengths that are less than or equal to this number (0 - 32, default = 0).
The setting for le
should be greater than the setting for ge
.
prefix {IPv4 address/netmask | any}
Enter the prefix (IPv4 address and netmask) for this prefix list rule or enter any
to match any prefix. The length of the netmask should be less than the setting for ge
.
If prefix
is set to any
, ge
and le
should not be set.
prefix6 {IPv6 address/netmask | any}
Enter the prefix (IPv6 address and netmask) for this prefix list rule or enter any
to match any prefix. The length of the netmask should be less than the setting for ge
.
If prefix6
is set to any
, ge
and le
should not be set.