Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Hyperscale Firewall Guide

    Home FortiGate / FortiOS 7.4.5 Hyperscale Firewall Guide
    7.4.5
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.6
    6.2.9
    6.2.7
    6.2.6

    Adding IP address threat feeds to hyperscale firewall policies

    Adding IP address threat feeds to hyperscale firewall policies

    You can go to Security Fabric > External Connectors > Create New and select IP address to create an IP address threat feed. You can then add this threat feed to a hyperscale firewall policy as a source or destination address. This feature allows you to add dynamic lists of IPv4 and IPv6 source or destination addresses to your hyperscale firewall configuration.

    Use the following command to add an IP Address Threat Feed:

    config system external-resource

    edit example-address-threat-feed

    set type address

    set status enable

    set update-method {feed | push}

    set username <name>

    set password <password>

    set resource <url-of-address-list>

    set refresh-rate <rate>

    end

    Use the following command to add an IP Address Threat Feed to a hyperscale firewall policy as the destination address:

    config firewall policy

    edit 1

    set name cgn-hw1-policy44-1

    set srcintf port1

    set dstintf port2

    set action accept

    set srcaddr all

    set dstaddr example-address-threat-feed

    set service ALL

    set nat enable

    set ippool enable

    set poolname test-cgn-pba-33

    end

    For information about IP Address Threat Feeds, see IP address threat feed.

    Note

    If you have set up a threat feed as the source or destination address in a hyperscale firewall policy, you cannot enable the corresponding address negate option (dstaddr-negate or srcaddr-negate).

    Example diagnose iprope command output showing the IP Address Threat Feed listed as external ip pool in the destination field:

    For an IPv4 IP Address Threat Feed:

    diagnose firewall iprope list 100004

policy index=1 uuid_idx=16081 action=accept
flag (8050108): redir nat master use_src pol_stats 
flag2 (4000): resolve_sso 
flag3 (a0): link-local best-route 
flag4 (4): 
schedule(always)
shapers: orig=shaper10M-high(2/1280000/1280000) reply=shaper10M-high(2/1280000/1280000)
cos_fwd=255  cos_rev=255 
group=00100004 av=00004e20 au=00000000 split=00000000
host=500 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 11 -> zone(1): 12 
source(1): 0.0.0.0-255.255.255.255, uuid_idx=15932, 
destination external ip pool(1): 16065 
service(1): 
        [0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto  
pba_nat(1): 5

    For an IPv6 IP Address Threat Feed:

    diagnose firewall iprope6 list 100004

policy id: 2, group: 00100004, uuid_idx=16082
  action: accept, schedule: always
  cos_fwd=255 cos_rev=255
  flag (08010008): redir master pol_stats
  flag2(00004000): resolve_sso
  flag3(00000080): best-route
  flag4(00000004):
  shapers: shaper10M-high(2/1280000/1280000)/shaper10M-high(2/1280000/1280000) per_ip=
  sub_groups: av 00004e20 auth 00000000 split 00000000 misc 00000000
  app_list: 0 ips_view: 0
  vdom_id: 500
  zone_from(1): 11
  zone_to(1): 12
  address_src(1):
      all uuid_idx=15953
  destination external ip pool(1):
      16065 
  service(1):
      [0:0x0:0/(0,65535)->(0,65535)] helper:auto  
  nat(0):
  nat_64(0):

    Example diagnose sys npu-session list command output showing some NP7 sessions accepted by a firewall policy with an IP Address Threat Feed.

    For an IPv4 session:

    diagnose sys npu-session list

session info: proto=6 proto_state=00 duration=45 expire=3600 timeout=3600 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=1
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255
state=hw_ses 
statistic(bytes/packets/allow_err): org=0/0/0 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=0->0/0->0 gwy=0.0.0.0/0.0.0.0
hook=post dir=org act=snat 10.1.100.11:44192->172.16.200.55:23(172.16.201.182:9141)
hook=pre dir=reply act=dnat 172.16.200.55:23->172.16.201.182:9141(10.1.100.11:44192)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 pol_uuid_idx=16081 auth_info=0 chk_client_info=0 vd=500
serial=00000000 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
  setup by offloaded-policy: origin=native
  O: npid=0/0, in: OID=0/VID=0, out: NHI=0 OID=0/VID=0
  R: npid=0/0, in: OID=0/VID=0, out: NHI=0 OID=0/VID=0
# hardware-session = 1

    For an IPv6 session:

    diagnose sys npu-session list6 

session6 info: proto=6 proto_state=00 duration=39 expire=3600 timeout=3600 refresh_dir=both flags=00000000 sockport=0 socktype=0 use=1
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255
state=hw_ses 
statistic(bytes/packets/allow_err): org=0/0/0 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=0->0/0->0
hook=post dir=org act=noop 2000:10:1:100::11:47494->2000:172:16:200::55:23(:::0)
hook=pre dir=reply act=noop 2000:172:16:200::55:23->2000:10:1:100::11:47494(:::0)
misc=0 policy_id=2 pol_uuid_idx=16082 auth_info=0 chk_client_info=0 vd=500
serial=00000000 tos=ff/ff ips_view=25972 app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
  setup by offloaded-policy: origin=native
  O: npid=0/0, in: OID=0/VID=0, out: NHI=0 OID=0/VID=0
  R: npid=0/0, in: OID=0/VID=0, out: NHI=0 OID=0/VID=0
# hardware-session = 1
    Previous
    Next

    Adding IP address threat feeds to hyperscale firewall policies

    Adding IP address threat feeds to hyperscale firewall policies

    You can go to Security Fabric > External Connectors > Create New and select IP address to create an IP address threat feed. You can then add this threat feed to a hyperscale firewall policy as a source or destination address. This feature allows you to add dynamic lists of IPv4 and IPv6 source or destination addresses to your hyperscale firewall configuration.

    Use the following command to add an IP Address Threat Feed:

    config system external-resource

    edit example-address-threat-feed

    set type address

    set status enable

    set update-method {feed | push}

    set username <name>

    set password <password>

    set resource <url-of-address-list>

    set refresh-rate <rate>

    end

    Use the following command to add an IP Address Threat Feed to a hyperscale firewall policy as the destination address:

    config firewall policy

    edit 1

    set name cgn-hw1-policy44-1

    set srcintf port1

    set dstintf port2

    set action accept

    set srcaddr all

    set dstaddr example-address-threat-feed

    set service ALL

    set nat enable

    set ippool enable

    set poolname test-cgn-pba-33

    end

    For information about IP Address Threat Feeds, see IP address threat feed.

    Note

    If you have set up a threat feed as the source or destination address in a hyperscale firewall policy, you cannot enable the corresponding address negate option (dstaddr-negate or srcaddr-negate).

    Example diagnose iprope command output showing the IP Address Threat Feed listed as external ip pool in the destination field:

    For an IPv4 IP Address Threat Feed:

    diagnose firewall iprope list 100004

policy index=1 uuid_idx=16081 action=accept
flag (8050108): redir nat master use_src pol_stats 
flag2 (4000): resolve_sso 
flag3 (a0): link-local best-route 
flag4 (4): 
schedule(always)
shapers: orig=shaper10M-high(2/1280000/1280000) reply=shaper10M-high(2/1280000/1280000)
cos_fwd=255  cos_rev=255 
group=00100004 av=00004e20 au=00000000 split=00000000
host=500 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 11 -> zone(1): 12 
source(1): 0.0.0.0-255.255.255.255, uuid_idx=15932, 
destination external ip pool(1): 16065 
service(1): 
        [0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto  
pba_nat(1): 5

    For an IPv6 IP Address Threat Feed:

    diagnose firewall iprope6 list 100004

policy id: 2, group: 00100004, uuid_idx=16082
  action: accept, schedule: always
  cos_fwd=255 cos_rev=255
  flag (08010008): redir master pol_stats
  flag2(00004000): resolve_sso
  flag3(00000080): best-route
  flag4(00000004):
  shapers: shaper10M-high(2/1280000/1280000)/shaper10M-high(2/1280000/1280000) per_ip=
  sub_groups: av 00004e20 auth 00000000 split 00000000 misc 00000000
  app_list: 0 ips_view: 0
  vdom_id: 500
  zone_from(1): 11
  zone_to(1): 12
  address_src(1):
      all uuid_idx=15953
  destination external ip pool(1):
      16065 
  service(1):
      [0:0x0:0/(0,65535)->(0,65535)] helper:auto  
  nat(0):
  nat_64(0):

    Example diagnose sys npu-session list command output showing some NP7 sessions accepted by a firewall policy with an IP Address Threat Feed.

    For an IPv4 session:

    diagnose sys npu-session list

session info: proto=6 proto_state=00 duration=45 expire=3600 timeout=3600 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=1
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255
state=hw_ses 
statistic(bytes/packets/allow_err): org=0/0/0 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=0->0/0->0 gwy=0.0.0.0/0.0.0.0
hook=post dir=org act=snat 10.1.100.11:44192->172.16.200.55:23(172.16.201.182:9141)
hook=pre dir=reply act=dnat 172.16.200.55:23->172.16.201.182:9141(10.1.100.11:44192)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 pol_uuid_idx=16081 auth_info=0 chk_client_info=0 vd=500
serial=00000000 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
  setup by offloaded-policy: origin=native
  O: npid=0/0, in: OID=0/VID=0, out: NHI=0 OID=0/VID=0
  R: npid=0/0, in: OID=0/VID=0, out: NHI=0 OID=0/VID=0
# hardware-session = 1

    For an IPv6 session:

    diagnose sys npu-session list6 

session6 info: proto=6 proto_state=00 duration=39 expire=3600 timeout=3600 refresh_dir=both flags=00000000 sockport=0 socktype=0 use=1
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255
state=hw_ses 
statistic(bytes/packets/allow_err): org=0/0/0 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=0->0/0->0
hook=post dir=org act=noop 2000:10:1:100::11:47494->2000:172:16:200::55:23(:::0)
hook=pre dir=reply act=noop 2000:172:16:200::55:23->2000:10:1:100::11:47494(:::0)
misc=0 policy_id=2 pol_uuid_idx=16082 auth_info=0 chk_client_info=0 vd=500
serial=00000000 tos=ff/ff ips_view=25972 app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
  setup by offloaded-policy: origin=native
  O: npid=0/0, in: OID=0/VID=0, out: NHI=0 OID=0/VID=0
  R: npid=0/0, in: OID=0/VID=0, out: NHI=0 OID=0/VID=0
# hardware-session = 1
    Previous
    Next