IPv4 addresses
When creating an IPv4 address there are a number of different types of addresses that can be specified. These include:
- FQDN
- Geography l IP range l IP/Netmask l Wildcard FQDN
Which one chosen will depend on which method most easily yet accurately describes the addresses that you are trying to include with as few entries as possible based on the information that you have. For instance, if you are trying to describe the addresses of a specific company’s web server but it you have no idea of how extensive there web server farm is you would be more likely to use a Fully Qualified Domain Name (FQDN) rather than a specific IP address. On the other hand some computers don’t have FQDNs and a specific IP address must be used.
The following is a more comprehensive description of the different types of addresses.
FQDN addresses
By using Fully Qualified Domain Name (FQDN) addressing you can take advantage of the dynamic ability of DNS to keep up with address changes without having to manually change the addresses on the FortiGate. FQDN addresses are most often used with external web sites but they can be used for internal web sites as well if there is a trusted DNS server that can be accessed. FQDN addressing also comes in handy for large web sites that may use multiple addresses and load balancers for their web sites. The FortiGate firewall automatically maintains a cached record of all the addresses resolved by the DNS for the FQDN addresses used.
For example, if you were doing this manually and you wanted to have a security policy that involved Google you could track down all of the IP addresses that they use across multiple countries. Using the FQDN address is simpler and more convenient.
When representing hosts by an FQDN, the domain name can also be a subdomain, such as mail.example.com.
Valid FQDN formats include:
- <host_name>.<top_level_domain_name> such as example.com
- <host_name>.<second_level_domain_name>.<top_level_domain_name>, such as mail.example.com When creating FQDN entries it is important to remember that:
- Wildcards are not supported in FQDN address objects l While there is a level of convention that would imply it, “www.example.com” is not necessarily the same address of “example.com”. they will each have their own records on the DNS server.
The FortiGate firewall keeps track of the DNS TTLs so as the entries change on the DNS servers the IP address will effectively be updated for the FortiGate. As long as the FQDN address is used in a security policy, it stores the address in the DNS cache.
There is a possible security downside to using FQDN addresses. Using a fully qualified domain name in a security policy means that your policies are relying on the DNS server to be accurate and correct. DNS servers in the past were not seen as potential targets because the thinking was that there was little of value on them and therefore are often not as well protected as some other network resources. People are becoming more aware that the value of the DNS server is that in many ways it controls where users and computers go on the Internet. Should the DNS server be compromised, security policies requiring domain name resolution may no longer function properly.
Creating a Fully Qualified Domain Name address
- Go to Policy & Objects > Addresses.
- Select Create New. A drop down menu is displayed. Select Address. In the Category field, chose Address. (This is for IPv4 addresses.)
- Input a Name for the address object.
- In the Type field, select FQDN from the drop down menu.
- Input the domain name in the FQDN
- In the Interface field, leave as the default any or select a specific interface from the drop down menu.
- Select the desired on/off toggle setting for Show in Address List. If the setting is enabled, the address will appear in drop down menus where it is an option.
- Input any additional information in the Comments
- Press
Example: FQDN address
You have to great a policy that will govern traffic that goes to a site that has a number of servers on the Internet. Depending on the traffic or the possibility that one of the servers is down network traffic can go to any one of those sites. The consistent factor is that they all use the same Fully Qualified Domain Name.
- The FQDN of the web site: example.com
- The number of ISP connections off of the FortiGate firewall: 2
Configuring the address in the GUI
- Go to Policy & Objects> Objects > Addresses and select Create New > Address.
- Fill out the fields with the following information:
Category |
Address |
Name |
BigWebsite.com |
Type |
FQDN |
FQDN |
bigwebsite.com |
Interface |
any |
Show in Address List |
<enable> |
Comments |
<Input into this field is optional> |
- Select
Configuring the address in the CLI
config firewall address edit BigWebsite.com set type fqdn set associated-interface any set fqdn bigwebsite.com end
Verification
To verify that the addresses were added correctly:
- Go to Firewall Objects > Address > Addresses. Check that the addresses have been added to the address list and that they are correct.
- Enter the following CLI command:
config firewall address edit <the name of the address that you wish to verify>
Show full-configuration
Changing the TTL of a FQDN address
To make sure that the FQDN resolves to the most recent active server you have been asked to make sure that the FortiGate has not cached the address for any longer than 10 minutes.
There is no field for the cached time-to-live in the web-based manager. It is only configurable in the CLI. Enter the following commands:
config firewall address edit BigWebsite.com set cache-ttl 600
end
Geography based addresses
Geography addresses are those determined by country of origin.
This type of address is only available in the IPv4 address category.
Creating a geography address
- Go to Policy & Objects > Addresses.
- Select Create New. A drop down menu is displayed. Select Address. In the Category field, chose Address. (This is for IPv4 addresses.)
- Input a Namefor the address object.
- In the Type field, select Geography from the drop down menu.
- In the Country field, select a single country from the drop down menu.
- In the Interface field, leave as the default any or select a specific interface from the drop down menu.
- Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.
- Input any additional information in the Comments
- Press
Example: Geography-based address
Configuring the address in the GUI
Your company is US based and has information on its web site that may be considered information that is not allowed to be sent to embargoed countries. In an effort to help reduce the possibility of sensitive information going to those countries you have be asked to set up addresses for those countries so that they can be block in the firewall policies.
l One of the countries you have been asked to block is Cuba l You have been asked to comment the addresses so that other administrators will know why they have been created
- Go to Policy & Objects> Objects > Addresses and select Create New > Address.
- Fill out the fields with the following information
Category |
Address |
Name |
Cuba |
Type |
Geography |
Country |
Cuba |
Interface |
any |
Visibility |
<enable> |
Comments |
Embargoed |
- Select
Configuring the address in the CLI
Enter the following CLI commands:
config firewall address edit Cuba set type geography set country CN set interface wan1
end
Overrides
It is possible to assign a specific ip address range to a customized country ID. Generally, geographic addressing is done at the VDOM level; it could be considered global if you are using the root VDOM, but the geoip-override setting is a global setting.
config system geoip-override edit “test” set country-id “A0” config ip-range
edit 1 set start-ip 7.7.7.7 set end-ip 7.7.7.8
next
edit 2 set start-ip 7.7.10.1 set end-ip 7.7.10.255 end
- While the setting exists in the configuration file, the system assigns the country-id option automatically.
- While you can use “edit 1” and “edit 2”, it is simpler to use “edit 0” and let the system automatically assign an ID number.
After creating a customized Country by using geoip-override command, the New country name has been added automatically to the country list and will be available on the Firewall Address Country field.
Diagnose commands
There are a few diagnose commands used with geographic addresses. The basic syntax is:
diagnose firewall ipgeo [country-list | ip-list | ip2country | override | copyright-notice]
Diagnose command |
Description |
country-list |
Listing of all the countries. |
ip-list |
List of the IP addresses associated with the country |
ip2country |
Used to determine which country a specific IP address is assigned to. |
override |
Listing of user defined geography data – items configured by using “config system geoip-override” command. |
copyright-notice |
Shows the copyright notice. |
IP range addresses
Where the subnet address is good a representing a standardized group of addresses that are subnets the IP Range type of address can describe a group of addresses while being specific and granular. It does this by specifying a continuous set of IP addresses between one specific IP address and another. While it is most common that this range is with a subnet it is not a requirement. For instance, 192.168.1.0/24 and 192.168.2.0/24 would be 2 separate subnets but if you wanted to describe the top half of one and the bottom half of the other you could describe the range of 192.168.1.128-192.168.2.127. It’s also a lot easier that trying to calculate the correct subnet mask.
The format would be:
x.x.x.x-x.x.x.x, such as 192.168.110.100-192.168.110.120
There is a notation that is commonly used and accepted by some devices that follows the format:
x.x.x.[x-x], such as 192.168.110.[100-120]
This format is not recognized in FortiOS 5.2 as a valid IP Range.
Creating a IP range address
- Go to Policy & Objects > Addresses.
- Select Create New. A drop down menu is displayed. Select Address In the Category field, chose Address(IPv4 addresses) or IPv6 Address.
- Input a Name for the address object.
- In the Type field, select IP Range from the drop down menu.
- In the Subnet / IP Range field, enter the range of addresses in the following format: x.x.x.x-x.x.x.x (no spaces)
- In the Interface field, leave as the default any or select a specific interface from the drop down menu. (This setting is not available for IPv6 addresses)
- Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.
- Input any additional information in the Comments
10. Press OK. Example
Example of a IP Range address for a group of computers set aside for guests on the company network.
Field |
Value |
Category |
Address or IPv6 Address |
Name |
Guest_users |
Type |
IP Range |
Subnet / IP Range |
192.168.100.200-192.168.100.240 |
Interface |
Port1 |
Show in Address
List |
[on] |
Comments |
Computers on the 1st floor used by guests for Internet access. |
IP Range addresses can be configured for both IPv4 and IPv6 addresses. The only differences in creating an IPv6 IP Range address is that you would choose IPv6 Address for the Category and the syntax of the address in the Subnet/IP Range field would be in the format of 2001:0db8:0000:0002:0:0:0:202001:0db8:0000:0004:0:0:0:20
IP / netmask addresses
The subnet type of address is expressed using a host address and a subnet mask. From a strictly mathematical stand point this is the most flexible of the types because the address can refer to as little one individual address or as many as all of the available addresses.
It is usually used when referring to your own internal addresses because you know what they are and they are usually administered in groups that are nicely differentiated along the lines of the old A, B, and C classes of IPv4 addresses. They are also addresses that are not likely to change with the changing of Internet Service Providers (ISP).
When representing hosts by an IP address with a netmask, the IP address can represent one or more hosts. For example, a firewall address can be:
- A single host such as a single computer with the address 192.45.46.45 l A range of hosts such as all of the hosts on the subnet 192.45.46.1 to 192.45.46.255 l All hosts, represented by 0.0.0.0 which matches any IP address
The netmask corresponds to the subnet class of the address being added, and can be represented in either dotted decimal or CIDR format. The FortiGate unit automatically converts CIDR formatted netmasks to dotted decimal format. Example formats:
- Netmask for a class A subnet of 16,777,214 usable addresses: 255.0.0.0, or /8 l Netmask for a class B subnet of 65,534 usable addresses: 255.255.0.0, or /16 l Netmask for a class C subnet of 254 usable addresses: 255.255.255.0, or /24 l Netmask for subnetted class C of 126 usable addresses: 255.255.255.128, or /25 l Netmask for subnetted class C of 62 usable addresses: 255.255.255.128, or /26 l Netmask for subnetted class C of 30 usable addresses: 255.255.255.128, or /27 l Netmask for subnetted class C of 14 usable addresses: 255.255.255.128, or /28 l Netmask for subnetted class C of 6 usable addresses: 255.255.255.128, or /29 l Netmask for subnetted class C of 2 usable addresses: 255.255.255.128, or /30 l Netmask for a single computer: 255.255.255.255, or /32 l Netmask used with 0.0.0.0 to include all IP addresses: 0.0.0.0, or /0
So for a single host or subnet the valid format of IP address and netmask could be either:
x.x.x.x/x.x.x.x, such as 192.168.1.0/255.255.255.0 or
x.x.x.x/x, such as 192.168.1.0/24
Static route configuration
A setting that is found in the IP/Netmask address type that is not found in the other address types is the enabling or disabling of Static Route Configuration. Enabling this feature includes the address in the listing of named addresses when setting up a static route.
To use in the GUI
- Enable the Static Route Configuration in the address.
- Go to Network > Static Routes and create a new route.
- For a Destination type, choose Named Address.
- Using the drop down menu, enter the name of the address object in the field just underneath the Destination type options.
- Fill out the other information relevant to the route
- Select the OK button
To enable in the CLI:
config firewall address edit <address_name> set allow-routing enable end
Creating a subnet address
- Go to Policy & Objects > Addresses.
- Select Create New. A drop down menu is displayed. Select Address. In the Category field, chose Address. (This is for IPv4 addresses.)
- Input a Namefor the address object.
- In the Type field, select IP/Netmask from the drop down menu.
- In the Subnet/IP Range field, enter the address and subnet mask according to the format x.x.x.x/x.x.x.x or the short hand format of x.x.x.x/x
- In the Interface field, leave as the default any or select a specific interface from the drop down menu.
- Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.
- Select the desired on/off toggle setting for Static Route Configuration.
- Input any additional information in the Comments
11. Press OK. Example
Example of a Subnet address for a database server on the DMZ:
Field |
Value |
Category |
Address |
Name |
DB_server_1 |
Type |
IP/Netmask |
Subnet/IP Range |
United States |
Interface |
any |
Show in Address List |
[on] |
Static Route Configuration |
[off] |
Comments |
|
Wildcard addressing
Wildcard addresses are addresses that identify ranges of IP addresses, reducing the amount of firewall addresses and security policies required to match some of the traffic on your network. Wildcard addresses are an advanced feature, usually required only for complex networks with complex firewall filtering requirements. By using these wildcard addresses in the firewall configuration, administrators can eliminate creating multiple, separate IP based address objects and then grouping them to then apply to multiple security policies.
A wildcard address consists of an IP address and a wildcard netmask, for example, 192.168.0.56
255.255.0.255. In this example, the IP address is 192.168.0.56 and the wildcard netmask is
255.255.0.255. The IP address defines the networks to match and the wildcard netmask defines the specific addresses to match on these networks.
In a wildcard netmask, zero means ignore the value of the octet in the IP address, which means the wildcard firewall address matches any number in this address octet. This also means that the number included in this octet of IP address is ignored and can be any number. Usually, if the octet in the wildcard netmask is zero, the corresponding octet in the IP address is also zero.
In a wildcard netmask, a number means match addresses according to how the numbers translate into binary addresses. For example, the wildcard netmask is 255; the wildcard address will only match addresses with the value for this octet that is in the IP address part of the wildcard address. So, if the first octet of the IP address is 192 and the first octet of the wildcard netmask is 255, the wildcard address will only match addresses with 192 in the first octet.
In the above example, the wildcard address 192.168.0.56 255.255.0.255 would match the following IP addresses:
192.168.0.56
192.168.1.56
192.168.2.56 …
192.168.255.56
The wildcard addresses 192.168.0.56 255.255.0.255 and 192.168.1.56 255.255.0.255 define the same thing since the 0 in the wildcard mask means to match any address in the third octet.
If we use the wildcard address 172.0.20.10 255.0.255.255, it would match the following IP addresses:
172.1.20.10
172.2.20.10
172.3.20.10 …
172.255.20.10
If you do not want to use all of the values in the octet, you can select a smaller grouping by using a number other than 255 in the subnet mask. There are some limitations though that users familiar with subnetting an IP range will recognose.
l The range should be a value that is a power of 2, such as 2, 4, 8, 16, etc l The starting number should be the first number in a number grouping of the same power of 2 divided by the possible range. For instance, if the range is 32 addresses, divide 256 by 32. Start at 0. Therefore the starting IP address can be 0, 33, 65, 97, 129, 161, 193, and 225. If you don’t want to do the math yourself there are a number of online subnet calculators that you can use.
You can perform a binary conversion to calculate the addresses that would be matched by a given value. For example, you can create the IP address and wildcard netmask to match the following network addresses:
192.168.32.0/24
192.168.33.0/24
192.168.34.0/24
192.168.35.0/24
192.168.36.0/24
192.168.37.0/24
192.168.38.0/24
192.168.39.0/24
In this example the range for the numbers in the third octet is 8.
The table shows how to write the third octet for these networks according to the octet bit position and address value for each bit.
Decimal |
128 |
64 |
32 |
16 |
8 |
4 |
2 |
1 |
32 |
0 |
0 |
1 |
0 |
0 |
0 |
0 |
0 |
33 |
0 |
0 |
1 |
0 |
0 |
0 |
0 |
1 |
34 |
0 |
0 |
1 |
0 |
0 |
0 |
1 |
0 |
35 |
0 |
0 |
1 |
0 |
0 |
0 |
1 |
1 |
36 |
0 |
0 |
1 |
0 |
0 |
1 |
0 |
0 |
37 |
0 |
0 |
1 |
0 |
0 |
1 |
0 |
1 |
38 |
0 |
0 |
1 |
0 |
0 |
1 |
1 |
0 |
39 |
0 |
0 |
1 |
0 |
0 |
1 |
1 |
1 |
|
Match |
Match |
Match |
Match |
Match |
Differ |
Differ |
Differ |
Use some basic math:
128 + 64 + 32 +16 + 8 = 248
248 is the value in the subnet mask for the third octet.
The networks can be summarized into one network (192.168.32.0/21 or 192.168.32.0
255.255.248.0). All eight possible combinations of the three low-order bits are relevant for the network ranges. The wildcard address that would match all of these subnet addresses can be written as192.168.32.0 255.255.248.0.
Wildcard addresses are similar to routing access list wildcard masks. You add routing access lists containing wildcard masks using the config router access list command. However, router access list wildcard masks use the inverse of the masking system used for firewall wildcard addresses. For the router access list wildcard masks, zero (0)means match all IP addresses and one (1)means ignore all IP addresses. So to match IP addresses 192.168.0.56, 192.268.1.56, 192.168.2.56,… 192.168.255.56 you would use the following router access IP address prefix and wildcard mask: 192.168.0.56 0.0.255.0.
The following is an example of how to configure a wildcard firewall address.
config firewall address edit example_wildcard_address set type wildcard
set wildcard 192.168.0.56 255.255.0.255
end
Wildcard firewall addresses are initially configured in the CLI. You cannot choose wildcard in the GUI when creating the address, but after the address is created in the CLI, it will show up in the GUI. The Type field shows a grayed out value of Wildcard and the settings, other than the type , can be edited.
Wildcard FQDN
There are a number of companies that use secondary and even tertiary domain names or FQDNs for their websites. Wildcard FQDN addresses are to ease the administrative overhead in cases where this occurs. Sometimes its as simple as sites that still use www. as a prefix for their domain name. If you don’t know whether or not the www is being used it’s simpler to use a wildcard and include all of the possibilities whether it be example.com, www.example.com or even ftp.example.com.
The following wildcard character instances are supported in wildcard FQDN addresses:
l “?” character l “*” character in the middle of a phrase l The “?*” combination
Wildcard FQDN addresses do not resolve to a specific set of IP addresses in the same way that a normal FQDN address does. They are intended for use in SSL exemptions and should not be used as source or destination addresses in policies.
Creating a Fully Qualified Domain Name address
- Go to Policy & Objects > Addresses.
- Select Create New. A drop down menu is displayed. Select Address In the Category field, chose Address. (This is for IPv4 addresses.)
- Input a Name for the address object.
- In the Type fUncategorizedield, select Wildcard FQDNfrom the drop down menu.
- Input the domain name in the Wildcard FQDN
- In the Interface field, leave as the default any or select a specific interface from the drop down menu.
- Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.
- Input any additional information in the Comments
10. Press OK. Example
Example of a FQDN address for a remote FTP server used by Accounting team:
Field |
Value |
Category |
Address |
Name |
Example.com_servers |
Type |
Wildcard FQDN |
Wildcard FQDN |
*.example.com |
Interface |
any |
Show in Address List |
[on] |
Comments |
Secondary and tertiary domain names for example.com |
Wildcard FQDNs for SSL deep inspection exemptions
As part of an improvement to SSL deep inspection, wild card FQDN addresses are stored in two tables, one relates to firewall address, historic location for the information, and the second location relates to firewall wildcard-fqdn custom. The wildcard FQDN in firewall address is used by proxypolicy. The wildcard FQDN in firewall wildcard-fqdn custom is used by ssl-exempt in sslssh-profile.
During an upgrade from v5 to v6, all wildcard FQDN in firewall address in the v5 configuration will be moved to firewall wildcard-fqdn custom. If the wildcard FQDN is used in a policy in v5, the upgrade process will leave a copy of the wildcard FQDN in firewall address in addition to the one in firewall wildcard-fqdn custom.
Syntax of the firewall wildcard-fqdn custom object:
config firewall wildcard-fqdn custom edit <string_value> set uuid <string_value> set wildcard-fqdn <string_value> set color <integer 0-32> set comment <string_value> set visibility {enable|disable}
next
end
Syntax of the firewall wildcard-fqdn group object:
config firewall wildcard-fqdn group edit “test-group” set uuid <string_value>
set member <string_value> [<string_value>]
set color 0 set comment ” set visibility enable
next end