Example
Example of a Geography address for a country that should be able to access resourses on the network.
Field Value
Category Address
Name United States
Type Geography
Country United States
Interface any
Show in Address List [on]
Comments
IP Range Addresses
Where the Subnet address is good a representing a standardized group of addresses that are subnets the IP Range type of address can describe a group of addresses while being specific and granular. It does this by specifying a continuous set of IP addresses between one specific IP address and another. While it is most common that this range is with a subnet it is not a requirement. For instance, 192.168.1.0/24 and 192.168.2.0/24 would be 2 separate subnets but if you wanted to describe the top half of one and the bottom half of the other you could describe the range of 192.168.1.128-192.168.2.127. It’s also a lot easier that trying to calculate the correct subnet mask.
The format would be:
x.x.x.x-x.x.x.x, such as 192.168.110.100-192.168.110.120
There is a notation that is commonly used and accepted by some devices that follows the format:
x.x.x.[x-x], such as 192.168.110.[100-120]
This format is not recognized in FortiOS 5.2 as a valid IP Range.
Creating a IP Range address
1. Go to Policy & Objects > Addresses.
2. Select Create New. A drop down menu is displayed. Select Address
3. In the Category field, chose Address(IPv4 addresses) or IPv6 Address.
4. Input a Name for the address object.
5. In the Type field, select IP Range from the drop down menu.
6. In the Subnet / IP Range field, enter the range of addresses in the following format: x.x.x.x-x.x.x.x (no spaces)
7. In the Interface field, leave as the default any or select a specific interface from the drop down menu. (This setting is not available for IPv6 addresses)
8. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.
9. Input any additional information in the Comments field.
10. Press OK.
Example
Example of a IP Range address for a group of computers set aside for guests on the company network.
Field Value
Category Address or IPv6 Address
Name Guest_users
Type IP Range
Subnet / IP
Range 192.168.100.200-192.168.100.240
Interface Port1
Show in Address
List
[on]
Comments Computers on the 1st floor used by guests for Internet access.
IP Range addresses can be configured forboth IPv4 and IPv6 addresses. The only dif- ferences in creating an IPv6 IP Range address is that you would choose IPv6 Address for the Category and the syntax of the address in the Subnet/IP Range field would be in the format of 2001:0db8:0000:0002:0:0:0:20-2001:0db8:0000:0004:0:0:0:20
IP / Netmask Addresses
The subnet type of address is expressed using a host address and a subnet mask. From a strictly mathematical stand point this is the most flexible of the types because the address can refer to as little one individual address or as many as all of the available addresses.
It is usally used when referring to your own internal addresses because you know what they are and they are usually administered in groups that are nicely differentiated along the lines of the old A, B, and C classes of IPv4 addresses. They are also addresses that are not likely to change with the changing of Internet Service Providers (ISP).
When representing hosts by an IP address with a netmask, the IP address can represent one or more hosts. For example, a firewall address can be:
- A single host such as a single computer with the address 192.45.46.45
- A range of hosts such as all of the hosts on the subnet 192.45.46.1 to 192.45.46.255
- All hosts, represented by 0.0.0.0 which matches any IP address
The netmask corresponds to the subnet class of the address being added, and can be represented in either dotted decimal or CIDR format. The FortiGate unit automatically converts CIDR formatted netmasks to dotted decimal format. Example formats:
- Netmask for a class A subnet of 16,777,214 usable addresses: 255.0.0.0, or /8
- Netmask for a class B subnet of 65,534 usable addresses: 255.255.0.0, or /16
- Netmask for a class C subnet of 254 usable addresses: 255.255.255.0, or /24
- Netmask for subnetted class C of 126 usable addresses: 255.255.255.128, or /25
- Netmask for subnetted class C of 62 usable addresses: 255.255.255.128, or /26 l Netmask for subnetted class C of 30 usable addresses: 255.255.255.128, or /27 l Netmask for subnetted class C of 14 usable addresses: 255.255.255.128, or /28 l Netmask for subnetted class C of 6 usable addresses: 255.255.255.128, or /29
- Netmask for subnetted class C of 2 usable addresses: 255.255.255.128, or /30
- Netmask for a single computer: 255.255.255.255, or /32
- Netmask used with 0.0.0.0 to include all IP addresses: 0.0.0.0, or /0
So for a single host or subnet the valid format of IP address and netmask could be either:
x.x.x.x/x.x.x.x, such as 192.168.1.0/255.255.255.0 or x.x.x.x/x, such as 192.168.1.0/24