Combined IPv4 and IPv6 Policy
This feature introduces a new, consolidated policy mode. In this mode, IPv4 and IPv6 policies are combined into a single, consolidated policy. This means that a single policy can be defined that includes both IPv4 and IPv6, instead of defining separate policies.
In consolidated policy mode, there is a single policy table for the GUI. The same source interface, destination interface, service, user, and schedule are shared for both IPv4 and IPv6, while there are different IP addresses and IP pool settings.
Consolidated policy mode can be enabled with the following CLI command:
config system settings
set consolidated-firewall-mode enable
Enabling consolidated-firewall-mode will delete all firewall policy/policy6. Do you want to continue? (y/n) y
Enabling consolidated policy mode will delete all existing IPv4 and IPv6 policies.
To configure a consolidated policy in the CLI:
config firewall consolidated policy
set uuid 754a86b6-2507-51e9-ef0d-13a6e4bf2e9d
set srcintf "port18"
set dstintf "port17"
set srcaddr4 "10-1-100-0" <-------- IPv4 srcaddr
set dstaddr4 "172-16-200-0" <-------- IPv4 dstaddr
set srcaddr6 "2000-10-1-100-0" <-------- IPv6 srcaddr
set dstaddr6 "2000-172-16-200-0" <-------- IPv6 dstaddr
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set ippool enable
set poolname4 "test-ippool4-1" <-------- IPv4 poolname
set poolname6 "test-ippool6-1" <-------- IPv6 poolname
set nat enable
The following features are not currently supported by consolidated policy mode:
- Policy-learning mode
- Internet-services in policy
- Address-negate and service-negate
- Traffic shaper in policy
- Capture-packet in policy
- External IP list in policy
- schedule-timeout, block-notification, disclaimer, custom-log-fields, or reputation in policy
- timeout-send-rst, tcp-session-without-syn, or anti-replay in policy;
- Policy Interface Pair View
- Policy lookup function on page.
The session/iprope tables for IPv4 and IPv6 are still displayed separately.