Filter
Top Products
198 01-28007-0068-20041203 Fortinet Inc.
Policy CLI configuration Firewall
Address
You can add, edit, and delete firewall addresses as required. You can also organize
related addresses into address groups to simplify policy creation.
A firewall address can be configured with a name, an IP address, and a netmask, or a
name and IP address range.
You can enter an IP address and netmask using the following formats.
• x.x.x.x/x.x.x.x, for example 64.198.45.0/255.255.255.0
• x.x.x.x/x, for example 64.195.45.0/24
You can enter an IP address range using the following formats.
• x.x.x.x-x.x.x.x, for example 192.168.110.100-192.168.110.120
• x.x.x.[x-x], for example 192.168.110.[100-120]
• x.x.x.*, for example 192.168.110.* to represent all addresses on the subnet
firewall policy command keywords and variables
Keywords and variables Description Default Availability
http_retry_count
<retry_integer>
Define the number of times to retry
establishing an HTTP connection when
the connection fails.
0 All models.
natip
<address_ipv4mask>
Configure natip for a firewall policy
with action set to encrypt and with
outbound NAT enabled. Specify the IP
address and subnet mask to translate
the source address of outgoing
packets.
Set natip for peer to peer VPNs to
control outbound NAT IP address
translation for outgoing VPN packets.
If you do not use natip to translate IP
addresses, the source addresses of
outbound VPN packets are translated
into the IP address of the FortiGate
external interface. If you use natip, the
FortiGate unit uses a static mapping
scheme to translate the source
addresses of VPN packets into
corresponding IP addresses on the
subnet that you specify. For example, if
the source address in the encryption
policy is 192.168.1.0/24 and the natip is
172.16.2.0/24, a source address of
192.168.1.7 will be translated to
172.16.2.7
0.0.0.0
0.0.0.0
All models.
Encrypt
policy, with
outbound
NAT
enabled.