Quick one ahead!

If your background is Cisco and their CCNA / CCNP trainings, you are familiar with the wildcard mask concept.

That idea allows you as an example to define an object which matches a single IP address in all your subnets. As an example, an IP address defined as follows: 10.10.0.120 255.255.0.255 will match IP address .120 in all subnets:

  • 10.10.0.120
  • 10.10.1.120
  • ...
  • 10.10.255.120

Simple and might be useful in some deployments. Of course, that is only one of many possible use cases. How to configure it in FortiOS?

An obvious attempt to define a wildcard mask object will fail:

FGT # config firewall address
  FGT (address) # edit printers
    FGT (printers) # set subnet 10.10.0.120 255.255.0.255
    FGT (printers) # next
    invalid netmask.
    object check operator error, -9, discard the setting
    Command fail. Return code 1

Also, there is no way of defining that object in the GUI. A proper way of doing this:

FGT # config firewall address
  FGT (address) # edit printers
    FGT (printers) # set type wildcard
    FGT (printers) # set wildcard 10.10.0.120 255.255.0.255

Simple as that!