Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
johnathan
Staff
Staff

Created on ‎10-01-2024 06:07 AM

Article Id 345320

Technical Tip: Adding more than 10172 addresses in a local-in policy does not work as expected

Description

This article describes how to resolve a scenario where adding more than 10172 addresses in a local-in policy does not work and traffic is allowed/dropped.
Scope FortiOS 7.x.x+.
Solution

When adding a large number of addresses in a local-in policy, there is an implicit limit not visible to the user which can cause unexpected behavior.


When adding more than 10172 addresses, the IPs that are added after this limit will not be applied to the local-in policy.
This can cause some confusion when using a local-in policy to block traffic as IPs in that deny policy will be allowed.
Here is an example of a policy having this issue (many IP addresses configured in each group):


config1.PNG
It is possible to tell if hitting this limit by running 'diag firewall iprope list 100001' and there is ‘flag3 (40): truncated’ in the output.


iprope1.PNG

 

To resolve this, split the single local-in policy into multiple. Here is what the config looks like after doing this:

 

config2.PNG

 

While running the same command, there is no longer any 'flag3 (40): truncated’ and the number of IP addresses pushed to the policy is greater than 10172 (6051 + 1510 + 4399 = 11960)

 

iprope2.PNG
161
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.