Excluding IP addresses from CGN resource allocation IP pools

You can use the new exclude-ip CGN resource allocation IP pool option to block a CGN IP pool from allocating one or more source IP addresses. You may want to exclude an IP address from being allocated by a CGN IP pool if the IP pool could assign an address that has been targeted by external attackers.

Exclude individual IP addresses by adding them to the CGN IP pool using the exclude-ip option, for example:

config firewall ippool

edit <name>

set type cgn-resource-allocation

set exclude-ip <ip_address>, <ip_address>, <ip_address> ...

end

where <ip-address> is a single IP address. You can only add single IP addresses. You cannot add IP address ranges. Use the ? to see how many IP addresses you can add. The limit depends on the FortiGate model.

You can't exclude IP addresses in a fixed allocation CGN resource allocation IP pool. If cgn-fixedalloc is set to enable, the exclude-ip option is not available.