Combined IPv4 and IPv6 policy
In consolidated policy mode, IPv4 and IPv6 policies are combined into a single policy instead of defining separate policies.
There is a single policy table for the GUI. The same source interface, destination interface, service, user, and schedule are shared for IPv4 and IPv6, while there are different IP addresses and IP pool settings.
To enable consolidated policy mode using the CLI:
|
Enabling consolidated policy mode will delete all existing IPv4 and IPv6 policies. |
config system settings
set consolidated-firewall-mode enable
Enabling consolidated-firewall-mode will delete all firewall policy/policy6. Do you want to continue? (y/n) y
end
To configure a consolidated policy using the CLI:
config firewall consolidated policy
edit 1
set uuid 754a86b6-2507-51e9-ef0d-13a6e4bf2e9d
set srcintf "port18"
set dstintf "port17"
set srcaddr4 "10-1-100-0" <-------- IPv4 srcaddr
set dstaddr4 "172-16-200-0" <-------- IPv4 dstaddr
set srcaddr6 "2000-10-1-100-0" <-------- IPv6 srcaddr
set dstaddr6 "2000-172-16-200-0" <-------- IPv6 dstaddr
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set ippool enable
set poolname4 "test-ippool4-1" <-------- IPv4 poolname
set poolname6 "test-ippool6-1" <-------- IPv6 poolname
set nat enable
next
end
Limitations
The following features are not currently supported by consolidated policy mode:
- Internet Services entries
address-negateandservice-negate- DSCP and ToS matching
- Traffic shapers
- Packet capture
- External IP lists
schedule-timeout,block-notification,disclaimer,custom-log-fields, orreputationtimeout-send-rst,tcp-session-without-syn, oranti-replay- Interface Pair View function in the pane toolbar
- Policy Lookup function in the pane toolbar
The session/iprope tables for IPv4 and IPv6 still display separately.
