IP / netmask addresses
The subnet type of address is expressed using a host address and a subnet mask. From a strictly mathematical stand point this is the most flexible of the types because the address can refer to as little one individual address or as many as all of the available addresses.
It is usually used when referring to your own internal addresses because you know what they are and they are usually administered in groups that are nicely differentiated along the lines of the old A, B, and C classes of IPv4 addresses. They are also addresses that are not likely to change with the changing of Internet Service Providers (ISP).
When representing hosts by an IP address with a netmask, the IP address can represent one or more hosts. For example, a firewall address can be:
- A single host such as a single computer with the address 192.45.46.45
- A range of hosts such as all of the hosts on the subnet 192.45.46.1 to 192.45.46.255
- All hosts, represented by 0.0.0.0 which matches any IP address
The netmask corresponds to the subnet class of the address being added, and can be represented in either dotted decimal or CIDR format. The FortiGate unit automatically converts CIDR formatted netmasks to dotted decimal format. Example formats:
- Netmask for a class A subnet of 16,777,214 usable addresses: 255.0.0.0, or /8
- Netmask for a class B subnet of 65,534 usable addresses: 255.255.0.0, or /16
- Netmask for a class C subnet of 254 usable addresses: 255.255.255.0, or /24
- Netmask for subnetted class C of 126 usable addresses: 255.255.255.128, or /25
- Netmask for a class C subnet of 254 usable addresses: 255.255.255.0, or /24
- Netmask for subnetted class C of 126 usable addresses: 255.255.255.128, or /25
- Netmask for subnetted class C of 62 usable addresses: 255.255.255.192, or /26
- Netmask for subnetted class C of 30 usable addresses: 255.255.255.224, or /27
- Netmask for subnetted class C of 14 usable addresses: 255.255.255.240, or /28
- Netmask for subnetted class C of 6 usable addresses: 255.255.255.248, or /29
- Netmask for subnetted class C of 2 usable addresses: 255.255.255.252, or /30
- Netmask for a single computer: 255.255.255.255, or /32
So for a single host or subnet the valid format of IP address and netmask could be either:
x.x.x.x/x.x.x.x, such as 192.168.1.0/255.255.255.0
or
x.x.x.x/x, such as 192.168.1.0/24
Static route configuration
A setting that is found in the IP/Netmask address type that is not found in the other address types is the enabling or disabling of Static Route Configuration. Enabling this feature includes the address in the listing of named addresses when setting up a static route.
To use in the GUI
- Enable the Static Route Configuration in the address.
- Go to Network > Static Routes and create a new route.
- For a Destination type, choose Named Address.
- Using the drop down menu, enter the name of the address object in the field just underneath the Destination type options.
- Fill out the other information relevant to the route
- Select the OK button
To enable in the CLI:
config firewall address
edit <address_name>
set allow-routing enable
end
Creating a subnet address
- Go to Policy & Objects > Addresses.
- Select Create New. A drop down menu is displayed. Select Address.
- In the Category field, chose Address. (This is for IPv4 addresses.)
- Input a Namefor the address object.
- In the Type field, select IP/Netmask from the drop down menu.
- In the Subnet/IP Range field, enter the address and subnet mask according to the format x.x.x.x/x.x.x.x or the short hand format of x.x.x.x/x
- In the Interface field, leave as the default any or select a specific interface from the drop down menu.
- Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.
- Select the desired on/off toggle setting for Static Route Configuration.
- Input any additional information in the Comments field.
- Press OK.
Example
Example of a Subnet address for a database server on the DMZ:
Field | Value |
---|---|
Category | Address |
Name | DB_server_1 |
Type | IP/Netmask |
Subnet/IP Range | United States |
Interface | any |
Show in Address List | [on] |
Static Route Configuration | [off] |
Comments |