Fortinet fortigate-100a Betriebsanweisung
198
01-28006-0068-20041105
Fortinet Inc.
Policy CLI configuration
Firewall
Address
You can add, edit, and delete firewall addresses as required. You can also organize
related addresses into address groups to simplify policy creation.
related addresses into address groups to simplify policy creation.
A firewall address can be configured with a name, an IP address, and a netmask, or a
name and IP address range.
name and IP address range.
You can enter an IP address and netmask using the following formats.
• x.x.x.x/x.x.x.x, for example 64.198.45.0/255.255.255.0
• x.x.x.x/x, for example 64.195.45.0/24
• x.x.x.x/x, for example 64.195.45.0/24
You can enter an IP address range using the following formats.
• x.x.x.x-x.x.x.x, for example 192.168.110.100-192.168.110.120
• x.x.x.[x-x], for example 192.168.110.[100-120]
• x.x.x.*, for example 192.168.110.* to represent all addresses on the subnet
• x.x.x.[x-x], for example 192.168.110.[100-120]
• x.x.x.*, for example 192.168.110.* to represent all addresses on the subnet
This section describes:
•
•
•
•
•
•
firewall policy command keywords and variables
Keywords and variables Description
Default
Availability
natip
<address_ipv4mask>
<address_ipv4mask>
Configure natip for a firewall policy
with action set to encrypt and with
outbound NAT enabled. Specify the IP
address and subnet mask to translate
the source address of outgoing
packets.
Set natip for peer to peer VPNs to
Set natip for peer to peer VPNs to
control outbound NAT IP address
translation for outgoing VPN packets.
If you do not use natip to translate IP
If you do not use natip to translate IP
addresses, the source addresses of
outbound VPN packets are translated
into the IP address of the FortiGate
external interface. If you use natip, the
FortiGate unit uses a static mapping
scheme to translate the source
addresses of VPN packets into
corresponding IP addresses on the
subnet that you specify. For example, if
the source address in the encryption
policy is 192.168.1.0/24 and the natip is
172.16.2.0/24, a source address of
192.168.1.7 will be translated to
172.16.2.7
0.0.0.0
0.0.0.0
All models.
Encrypt
Encrypt
policy, with
outbound
NAT
enabled.