Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.6
Download PDF
Copy Link

router {prefix-list | prefix-list6}

Use this command to configure prefix lists, which are enhanced versions of an access list that allows you to control the length of the prefix netmask. Each rule in a prefix list consists of a prefix (IP address and netmask), the action to take for this prefix (permit or deny), and maximum and minimum prefix length settings. Use prefix-list for IPv4 and prefix-list6 for IPv6.

The FortiGate attempts to match a packet against the rules in a prefix list starting at the top of the list. If it finds a match for the prefix it takes the action specified for that prefix. If no match is found the default action is deny. A prefix-list should be used to match the default route 0.0.0.0/0.

config router prefix-list
    edit {name}
    # Configure IPv4 prefix lists.
        set name {string}   Name. size[35]
        set comments {string}   Comment. size[127]
        config rule
            edit {id}
            # IPv4 prefix list rule.
                set id {integer}   Rule ID. range[0-4294967295]
                set action {permit | deny}   Permit or deny this IP address and netmask prefix.
                        permit  Allow or permit packets that match this rule.
                        deny    Deny packets that match this rule.
                set prefix {string}   IPv4 prefix to define regular filter criteria, such as "any" or subnets.
                set ge {integer}   Minimum prefix length to be matched (0 - 32). range[0-32]
                set le {integer}   Maximum prefix length to be matched (0 - 32). range[0-32]
                set flags {integer}   Flags. range[0-4294967295]
            next
    next
end
config router prefix-list6
    edit {name}
    # Configure IPv6 prefix lists.
        set name {string}   Name. size[35]
        set comments {string}   Comment. size[127]
        config rule
            edit {id}
            # IPv6 prefix list rule.
                set id {integer}   Rule ID. range[0-4294967295]
                set action {permit | deny}   Permit or deny packets that match this rule.
                        permit  Allow or permit packets that match this rule.
                        deny    Deny packets that match this rule.
                set prefix6 {string}   IPv6 prefix to define regular filter criteria, such as "any" or subnets.
                set ge {integer}   Minimum prefix length to be matched (0 - 128). range[0-128]
                set le {integer}   Maximum prefix length to be matched (0 - 128). range[0-128]
                set flags {integer}   Flags. range[0-4294967295]
            next
    next
end

Additional information

The following section is for those options that require additional explanation.

ge {integer}

Match prefix lengths that are greater than or equal to this number (0 - 32, default = 0).

The setting for ge should be less than the setting for le and greater than the netmask set for prefix.

le {length_integer}

Match prefix lengths that are less than or equal to this number (0 - 32, default = 0).

The setting for le should be greater than the setting for ge.

prefix {IPv4 address/netmask | any}

Enter the prefix (IPv4 address and netmask) for this prefix list rule or enter any to match any prefix. The length of the netmask should be less than the setting for ge.

If prefix is set to any, ge and le should not be set.

prefix6 {IPv6 address/netmask | any}

Enter the prefix (IPv6 address and netmask) for this prefix list rule or enter any to match any prefix. The length of the netmask should be less than the setting for ge.

If prefix6 is set to any, ge and le should not be set.

 

router {prefix-list | prefix-list6}

Use this command to configure prefix lists, which are enhanced versions of an access list that allows you to control the length of the prefix netmask. Each rule in a prefix list consists of a prefix (IP address and netmask), the action to take for this prefix (permit or deny), and maximum and minimum prefix length settings. Use prefix-list for IPv4 and prefix-list6 for IPv6.

The FortiGate attempts to match a packet against the rules in a prefix list starting at the top of the list. If it finds a match for the prefix it takes the action specified for that prefix. If no match is found the default action is deny. A prefix-list should be used to match the default route 0.0.0.0/0.

config router prefix-list
    edit {name}
    # Configure IPv4 prefix lists.
        set name {string}   Name. size[35]
        set comments {string}   Comment. size[127]
        config rule
            edit {id}
            # IPv4 prefix list rule.
                set id {integer}   Rule ID. range[0-4294967295]
                set action {permit | deny}   Permit or deny this IP address and netmask prefix.
                        permit  Allow or permit packets that match this rule.
                        deny    Deny packets that match this rule.
                set prefix {string}   IPv4 prefix to define regular filter criteria, such as "any" or subnets.
                set ge {integer}   Minimum prefix length to be matched (0 - 32). range[0-32]
                set le {integer}   Maximum prefix length to be matched (0 - 32). range[0-32]
                set flags {integer}   Flags. range[0-4294967295]
            next
    next
end
config router prefix-list6
    edit {name}
    # Configure IPv6 prefix lists.
        set name {string}   Name. size[35]
        set comments {string}   Comment. size[127]
        config rule
            edit {id}
            # IPv6 prefix list rule.
                set id {integer}   Rule ID. range[0-4294967295]
                set action {permit | deny}   Permit or deny packets that match this rule.
                        permit  Allow or permit packets that match this rule.
                        deny    Deny packets that match this rule.
                set prefix6 {string}   IPv6 prefix to define regular filter criteria, such as "any" or subnets.
                set ge {integer}   Minimum prefix length to be matched (0 - 128). range[0-128]
                set le {integer}   Maximum prefix length to be matched (0 - 128). range[0-128]
                set flags {integer}   Flags. range[0-4294967295]
            next
    next
end

Additional information

The following section is for those options that require additional explanation.

ge {integer}

Match prefix lengths that are greater than or equal to this number (0 - 32, default = 0).

The setting for ge should be less than the setting for le and greater than the netmask set for prefix.

le {length_integer}

Match prefix lengths that are less than or equal to this number (0 - 32, default = 0).

The setting for le should be greater than the setting for ge.

prefix {IPv4 address/netmask | any}

Enter the prefix (IPv4 address and netmask) for this prefix list rule or enter any to match any prefix. The length of the netmask should be less than the setting for ge.

If prefix is set to any, ge and le should not be set.

prefix6 {IPv6 address/netmask | any}

Enter the prefix (IPv6 address and netmask) for this prefix list rule or enter any to match any prefix. The length of the netmask should be less than the setting for ge.

If prefix6 is set to any, ge and le should not be set.