Fortinet Document Library

Version:

6.4.0
6.2.0

Table of Contents

Home FortiGate / FortiOS 6.2.0 New Features

New Features

6.2.0
6.4.0
6.2.0
Download PDF
Copy Link

Combined IPv4 and IPv6 Policy

This feature introduces a new, consolidated policy mode. In this mode, IPv4 and IPv6 policies are combined into a single, consolidated policy. This means that a single policy can be defined that includes both IPv4 and IPv6, instead of defining separate policies.

In consolidated policy mode, there is a single policy table for the GUI. The same source interface, destination interface, service, user, and schedule are shared for both IPv4 and IPv6, while there are different IP addresses and IP pool settings.

Consolidated policy mode can be enabled with the following CLI command:

config system settings

set consolidated-firewall-mode enable

Enabling consolidated-firewall-mode will delete all firewall policy/policy6. Do you want to continue? (y/n) y

end

Caution

Enabling consolidated policy mode will delete all existing IPv4 and IPv6 policies.
To configure a consolidated policy in the CLI:

config firewall consolidated policy

edit 1

set uuid 754a86b6-2507-51e9-ef0d-13a6e4bf2e9d

set srcintf "port18"

set dstintf "port17"

set srcaddr4 "10-1-100-0" <-------- IPv4 srcaddr

set dstaddr4 "172-16-200-0" <-------- IPv4 dstaddr

set srcaddr6 "2000-10-1-100-0" <-------- IPv6 srcaddr

set dstaddr6 "2000-172-16-200-0" <-------- IPv6 dstaddr

set action accept

set schedule "always"

set service "ALL"

set logtraffic all

set ippool enable

set poolname4 "test-ippool4-1" <-------- IPv4 poolname

set poolname6 "test-ippool6-1" <-------- IPv6 poolname

set nat enable

next

end

Limitations

The following features are not currently supported by consolidated policy mode:

  • Policy-learning mode
  • Internet-services in policy
  • Address-negate and service-negate
  • DSCP-match/Tos
  • Traffic shaper in policy
  • Capture-packet in policy
  • External IP list in policy
  • schedule-timeout, block-notification, disclaimer, custom-log-fields, or reputation in policy
  • timeout-send-rst, tcp-session-without-syn, or anti-replay in policy;
  • Policy Interface Pair View
  • Policy lookup function on page.

The session/iprope tables for IPv4 and IPv6 are still displayed separately.

Combined IPv4 and IPv6 Policy

This feature introduces a new, consolidated policy mode. In this mode, IPv4 and IPv6 policies are combined into a single, consolidated policy. This means that a single policy can be defined that includes both IPv4 and IPv6, instead of defining separate policies.

In consolidated policy mode, there is a single policy table for the GUI. The same source interface, destination interface, service, user, and schedule are shared for both IPv4 and IPv6, while there are different IP addresses and IP pool settings.

Consolidated policy mode can be enabled with the following CLI command:

config system settings

set consolidated-firewall-mode enable

Enabling consolidated-firewall-mode will delete all firewall policy/policy6. Do you want to continue? (y/n) y

end

Caution

Enabling consolidated policy mode will delete all existing IPv4 and IPv6 policies.
To configure a consolidated policy in the CLI:

config firewall consolidated policy

edit 1

set uuid 754a86b6-2507-51e9-ef0d-13a6e4bf2e9d

set srcintf "port18"

set dstintf "port17"

set srcaddr4 "10-1-100-0" <-------- IPv4 srcaddr

set dstaddr4 "172-16-200-0" <-------- IPv4 dstaddr

set srcaddr6 "2000-10-1-100-0" <-------- IPv6 srcaddr

set dstaddr6 "2000-172-16-200-0" <-------- IPv6 dstaddr

set action accept

set schedule "always"

set service "ALL"

set logtraffic all

set ippool enable

set poolname4 "test-ippool4-1" <-------- IPv4 poolname

set poolname6 "test-ippool6-1" <-------- IPv6 poolname

set nat enable

next

end

Limitations

The following features are not currently supported by consolidated policy mode:

  • Policy-learning mode
  • Internet-services in policy
  • Address-negate and service-negate
  • DSCP-match/Tos
  • Traffic shaper in policy
  • Capture-packet in policy
  • External IP list in policy
  • schedule-timeout, block-notification, disclaimer, custom-log-fields, or reputation in policy
  • timeout-send-rst, tcp-session-without-syn, or anti-replay in policy;
  • Policy Interface Pair View
  • Policy lookup function on page.

The session/iprope tables for IPv4 and IPv6 are still displayed separately.