Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
PietPuk
New Contributor

Wildcard address

Hello all, Perhaps someone can help me with this issue, i' m currently replacing some Cisco ASA devices with Fortigate 100D and i have some trouble getting wildcard addresses working. The situation is as follows: there are some 23 locations in the organisation, every location is defined by the second octet in the IP Address, every location uses an exact copy of the VLAN definitions so the third octet show the role of the subnet. e.g. 10.101.1.0/24 is in fact location 101 and subnet 1 (workstations) and 10.102.1.0/24 is location 102 subnet 1. the rights assignment is identical for each location per subnet, so subnet workstations is allowed to pass HTTP/HTTPs unrestricted but subnet 2 is only allowed THHP traffic to specific hosts. on the ASA devices this is very easy to implement using a wildcard mask and creating a network object like 10.0.1.0/0.255.0.255 this allows for a single line/networkobject to be applied for all locations. on the 100D devices this seems impossible, the documentation does speak of wildcard possiblilities but if i enter a network object like set wildcard 10.0.56.0 0.255.0.255 it ends up as set wildcard 0.0.0.0 0.255.0.255 in the config and the GUI page Firewall Objects > address > address remains completely blank until the line is removed using the CLI. this kind of scares me to think that on both devices i need to manually add all these subnets for all locations, due to the amount of diferent combinations (all repetitive) this is prone to configuration error' s. Maybe somebody can enlighten me if this realy is impossible or perhaps offer an alternative option. thanks in advance.
3 REPLIES 3
Dave_Hall
Honored Contributor

According to the (4.0MR3) online handbook guide (click HELP at the top of the GUI).... Wildcard firewall addresses are configured only in the CLI. The following is an example of how to configure a wildcard firewall address. config firewall address edit example_wildcard_address set type wildcard set wildcard 192.168.0.56 255.255.0.255 end BTW make sure you are using a compatible web browser when using the GUI -- otherwise some page elements will not show up. Wildcard addresses on the Fortigate appears to be the same/similar as on the Cisco device.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
PietPuk
New Contributor

Thank you very much Dave, after reading your post it became clear that cisco usses the 255 for wildcard and the Fortinet uses the 0 for wildcard. e.g. 192.nnn.5.yy on cisco 192.0.5.0 0.255.0.255 on Forti 192.0.5.0 255.0.255.0 i have tested this and it works, this saves me a whole lot of typing :-). Thank you very much for the fast response.
emnoc
Esteemed Contributor III

Yes, I' ve been burnt also due to this reversal. [:' (]

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors