Fortinet black logo

Cookbook

Combined IPv4 and IPv6 policy

Copy Link
Copy Doc ID fed12558-14f5-11e9-b86b-00505692583a:786194
Download PDF

Combined IPv4 and IPv6 policy

In consolidated policy mode, IPv4 and IPv6 policies are combined into a single policy instead of defining separate policies.

There is a single policy table for the GUI. The same source interface, destination interface, service, user, and schedule are shared for IPv4 and IPv6, while there are different IP addresses and IP pool settings.

To enable consolidated policy mode using the CLI:
Caution

Enabling consolidated policy mode will delete all existing IPv4 and IPv6 policies.

config system settings

set consolidated-firewall-mode enable

Enabling consolidated-firewall-mode will delete all firewall policy/policy6. Do you want to continue? (y/n) y

end

To configure a consolidated policy using the CLI:

config firewall consolidated policy

edit 1

set uuid 754a86b6-2507-51e9-ef0d-13a6e4bf2e9d

set srcintf "port18"

set dstintf "port17"

set srcaddr4 "10-1-100-0" <-------- IPv4 srcaddr

set dstaddr4 "172-16-200-0" <-------- IPv4 dstaddr

set srcaddr6 "2000-10-1-100-0" <-------- IPv6 srcaddr

set dstaddr6 "2000-172-16-200-0" <-------- IPv6 dstaddr

set action accept

set schedule "always"

set service "ALL"

set logtraffic all

set ippool enable

set poolname4 "test-ippool4-1" <-------- IPv4 poolname

set poolname6 "test-ippool6-1" <-------- IPv6 poolname

set nat enable

next

end

Limitations

The following features are not currently supported by consolidated policy mode:

  • Internet Services entries
  • address-negate and service-negate
  • DSCP and ToS matching
  • Traffic shapers
  • Packet capture
  • External IP lists
  • schedule-timeout, block-notification, disclaimer, custom-log-fields, or reputation
  • timeout-send-rst, tcp-session-without-syn, or anti-replay
  • Interface Pair View function in the pane toolbar
  • Policy Lookup function in the pane toolbar

The session/iprope tables for IPv4 and IPv6 still display separately.

Related Videos

sidebar video

Consolidated Policy Mode

  • 3,556 views
  • 4 years ago

Combined IPv4 and IPv6 policy

In consolidated policy mode, IPv4 and IPv6 policies are combined into a single policy instead of defining separate policies.

There is a single policy table for the GUI. The same source interface, destination interface, service, user, and schedule are shared for IPv4 and IPv6, while there are different IP addresses and IP pool settings.

To enable consolidated policy mode using the CLI:
Caution

Enabling consolidated policy mode will delete all existing IPv4 and IPv6 policies.

config system settings

set consolidated-firewall-mode enable

Enabling consolidated-firewall-mode will delete all firewall policy/policy6. Do you want to continue? (y/n) y

end

To configure a consolidated policy using the CLI:

config firewall consolidated policy

edit 1

set uuid 754a86b6-2507-51e9-ef0d-13a6e4bf2e9d

set srcintf "port18"

set dstintf "port17"

set srcaddr4 "10-1-100-0" <-------- IPv4 srcaddr

set dstaddr4 "172-16-200-0" <-------- IPv4 dstaddr

set srcaddr6 "2000-10-1-100-0" <-------- IPv6 srcaddr

set dstaddr6 "2000-172-16-200-0" <-------- IPv6 dstaddr

set action accept

set schedule "always"

set service "ALL"

set logtraffic all

set ippool enable

set poolname4 "test-ippool4-1" <-------- IPv4 poolname

set poolname6 "test-ippool6-1" <-------- IPv6 poolname

set nat enable

next

end

Limitations

The following features are not currently supported by consolidated policy mode:

  • Internet Services entries
  • address-negate and service-negate
  • DSCP and ToS matching
  • Traffic shapers
  • Packet capture
  • External IP lists
  • schedule-timeout, block-notification, disclaimer, custom-log-fields, or reputation
  • timeout-send-rst, tcp-session-without-syn, or anti-replay
  • Interface Pair View function in the pane toolbar
  • Policy Lookup function in the pane toolbar

The session/iprope tables for IPv4 and IPv6 still display separately.