Fortinet black logo

CLI Reference

config load-balance allowlist

config load-balance allowlist

Use this command to configure the Geography IP address allowlist.You use the allowlist to permit requests from clients that otherwise might be denied by the Geography IP address block list. For example, you might have a good reason to block requests from the whole address range for a country, except for the addresses for your known customers.

Before you begin:
  • You must have read-write permission for load balancing settings.

After you have configured a Geography IP address allowlist, you can specify it in the virtual server configuration.

Syntax

config load-balance allowlist

edit <name>

set description <string>

set status {enable|disable}

config allowlist-member

edit <No.>

set description <string>

set type {ip-netmask|ip-range}

set ip-network <ip&netmask>

set start-ip <ip>

set end-ip <ip>

next

next

end

description

A string to describe the purpose of the configuration, to help you and other administrators more easily identify its use. Put phrases in quotes. For example: “Customer ABC”.

status

Enable/disable the list.

config allowlist-member

description

Enter a brief description of the IP subnet or IP range, depending on which Type you choose. The description can be up to 1023 characters long. Valid characters are A-Z, a-z, 0-9, _, -,., and :. No space is allowed.

type

Select and configure either of the following:

  • ip-netmask — Specify the IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 192.0.2.0/24. Dotted quad formatted subnet masks are not accepted. IPv6 addresses are not supported.

  • ip-range — Specify the Start IP and the End IP addresses of the IP range.

ip-network

The ip-network option is available if type is ip-netmask.

Specify the IP address and CIDR-formatted subnet mask, separated by a forward slash, such as 192.0.2.0/24. Dotted quad formatted subnet masks are not accepted.

IPv6 addresses are not supported.

start-ip

The start-ip option is available if type is ip-range.

Specify the Start IP address of the IP range. IPv6 addresses are not supported.

end-ip

The end-ip option is available if type is ip-range.

Specify the End IP address of the IP range. IPv6 addresses are not supported.

Example

FortiADC-VM # config load-balance allowlist

FortiADC-VM (allowlist) # edit demo

Add new entry 'demo' for node 2893

FortiADC-VM (demo) # get

description : IP-geo-allow-list

status : enable

FortiADC-VM (demo) # set description "Customer ABC."

FortiADC-VM (demo) # config allowlist-member

FortiADC-VM (allowlist-member) # edit 1

Add new entry '1' for node 2897

FortiADC-VM (1) # get

ip-network : 0.0.0.0/0

FortiADC-VM (1) # set ip-network 192.0.2.0/24

FortiADC-VM (1) # end

FortiADC-VM (demo) # get

description : "Customer ABC."

status : enable

== [ 1 ]

FortiADC-VM (demo) # end

config load-balance allowlist

Use this command to configure the Geography IP address allowlist.You use the allowlist to permit requests from clients that otherwise might be denied by the Geography IP address block list. For example, you might have a good reason to block requests from the whole address range for a country, except for the addresses for your known customers.

Before you begin:
  • You must have read-write permission for load balancing settings.

After you have configured a Geography IP address allowlist, you can specify it in the virtual server configuration.

Syntax

config load-balance allowlist

edit <name>

set description <string>

set status {enable|disable}

config allowlist-member

edit <No.>

set description <string>

set type {ip-netmask|ip-range}

set ip-network <ip&netmask>

set start-ip <ip>

set end-ip <ip>

next

next

end

description

A string to describe the purpose of the configuration, to help you and other administrators more easily identify its use. Put phrases in quotes. For example: “Customer ABC”.

status

Enable/disable the list.

config allowlist-member

description

Enter a brief description of the IP subnet or IP range, depending on which Type you choose. The description can be up to 1023 characters long. Valid characters are A-Z, a-z, 0-9, _, -,., and :. No space is allowed.

type

Select and configure either of the following:

  • ip-netmask — Specify the IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 192.0.2.0/24. Dotted quad formatted subnet masks are not accepted. IPv6 addresses are not supported.

  • ip-range — Specify the Start IP and the End IP addresses of the IP range.

ip-network

The ip-network option is available if type is ip-netmask.

Specify the IP address and CIDR-formatted subnet mask, separated by a forward slash, such as 192.0.2.0/24. Dotted quad formatted subnet masks are not accepted.

IPv6 addresses are not supported.

start-ip

The start-ip option is available if type is ip-range.

Specify the Start IP address of the IP range. IPv6 addresses are not supported.

end-ip

The end-ip option is available if type is ip-range.

Specify the End IP address of the IP range. IPv6 addresses are not supported.

Example

FortiADC-VM # config load-balance allowlist

FortiADC-VM (allowlist) # edit demo

Add new entry 'demo' for node 2893

FortiADC-VM (demo) # get

description : IP-geo-allow-list

status : enable

FortiADC-VM (demo) # set description "Customer ABC."

FortiADC-VM (demo) # config allowlist-member

FortiADC-VM (allowlist-member) # edit 1

Add new entry '1' for node 2897

FortiADC-VM (1) # get

ip-network : 0.0.0.0/0

FortiADC-VM (1) # set ip-network 192.0.2.0/24

FortiADC-VM (1) # end

FortiADC-VM (demo) # get

description : "Customer ABC."

status : enable

== [ 1 ]

FortiADC-VM (demo) # end