Technical Tip: Combined IPv4 and IPv6 firewall policies
Description
This feature introduces a new consolidated policy mode.
In this mode, IPv4 and IPv6 policies are combined into a single, consolidated policy.
This means that a single policy can be defined that includes both IPv4 and IPv6, instead of defining separate policies, if there are similar.
All the UTM profiles can just be applied to a single policy instead of separately enabling via IPv4 or IPv6 firewall policies.
This article describes this feature.
Solution
In consolidated policy mode, there is a single policy table for the GUI.
The same source interface, destination interface, service, user, and schedule are shared for both IPv4 and IPv6, while there are different IP addresses and IP pool settings.
The following features are not currently supported by consolidated policy mode:
• Policy-learning mode.
• Internet-services in policy.
• Address-negate and service-negate.
• DSCP-match/Tos.
• Traffic shaper in policy.
• Capture-packet in policy.
• External IP list in policy.
• schedule-timeout, block-notification, disclaimer, custom-log-fields, or reputation in policy.
• timeout-send-rst, tcp-session-without-syn, or anti-replay in policy;
• Policy Interface Pair View.
• Policy lookup function on page.
The session/iprope tables for IPv4 and IPv6 are still displayed separately.
This feature introduces a new consolidated policy mode.
In this mode, IPv4 and IPv6 policies are combined into a single, consolidated policy.
This means that a single policy can be defined that includes both IPv4 and IPv6, instead of defining separate policies, if there are similar.
All the UTM profiles can just be applied to a single policy instead of separately enabling via IPv4 or IPv6 firewall policies.
This article describes this feature.
Solution
In consolidated policy mode, there is a single policy table for the GUI.
The same source interface, destination interface, service, user, and schedule are shared for both IPv4 and IPv6, while there are different IP addresses and IP pool settings.
Consolidated policy mode can be enabled with the following CLI command:
# config system settingsTo configure a consolidated policy in the CLI.
(settings)set consolidated-firewall-mode enable
Enabling consolidated-firewall-mode will delete all firewall policy/policy6.
Do you want to continue? (y/n)y
Myvi-kvm21 (settings) # end
# config firewall consolidated policyLimitations.
edit 1
set name "Outgoing"
set uuid dd868e6a-2dd4-51ea-36b5-d2f6f6d45060
set srcintf "port2"
set dstintf "port1"
set srcaddr4 "192.168.1.0/24"  IPv4 source address
set dstaddr4 "all"  IPv4 destination address
set srcaddr6 "2001::AB:0/64"  IPv6 source address
set dstaddr6 "all"  IPv6 destination address
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set av-profile "default"
set webfilter-profile "default"
set dnsfilter-profile "default"
set application-list "default"
set ippool enable
set poolname4 "10.47.3.88"  IPv4 IP Pool
set poolname6 "2001::EF:1"  IPv6 IP Pool
set nat enable
next
end
The following features are not currently supported by consolidated policy mode:
• Policy-learning mode.
• Internet-services in policy.
• Address-negate and service-negate.
• DSCP-match/Tos.
• Traffic shaper in policy.
• Capture-packet in policy.
• External IP list in policy.
• schedule-timeout, block-notification, disclaimer, custom-log-fields, or reputation in policy.
• timeout-send-rst, tcp-session-without-syn, or anti-replay in policy;
• Policy Interface Pair View.
• Policy lookup function on page.
The session/iprope tables for IPv4 and IPv6 are still displayed separately.