The subnet type of address is expressed using a host address and a subnet mask. From a strickly mathematical stand point this is the most flexible of the types because it can refer to as little as the address for one computer or as many as all of them.
It is usally used when refering to your own internal addresses because you know what they are and they are usually administered in groups that are nicely deferentiated along the lines of the old A, B, and C classes of IPv4 addresses. They are also addresses that are not likely to change with the changing of Internet Service Providers (ISP).
When representing hosts by an IP address with a netmask, the IP address can represent one or more hosts. For example, a firewall address can be:
- A single host such as a single computer with the address 126.96.36.199
- A range of hosts such as all of the hosts on the subnet 188.8.131.52 to 184.108.40.206
- All hosts, represented by 0.0.0.0 which matches any IP address
The netmask corresponds to the subnet class of the address being added, and can be represented in either dotted decimal or CIDR format. The FortiGate unit automatically converts CIDR formatted netmasks to dotted decimal format. Example formats:
- Netmask for a class A subnet of 16,777,214 usable addresses: 255.0.0.0, or /8
- Netmask for a class B subnet of 65,534 usable addresses: 255.255.0.0, or /16
- Netmask for a class C subnet of 254 usable addresses: 255.255.255.0, or /24
- Netmask for subnetted class C of 126 usable addresses: 255.255.255.128, or /25
- Netmask for subnetted class C of 62 usable addresses: 255.255.255.128, or /26
- Netmask for subnetted class C of 30 usable addresses: 255.255.255.128, or /27
- Netmask for subnetted class C of 14 usable addresses: 255.255.255.128, or /28
- Netmask for subnetted class C of 6 usable addresses: 255.255.255.128, or /29
- Netmask for subnetted class C of 2 usable addresses: 255.255.255.128, or /30
- Netmask for a single computer: 255.255.255.255, or /32
- Netmask used with 0.0.0.0 to include all IP addresses: 0.0.0.0, or /0
So for a single host or subnet the valid format of IP address and netmask could be either:
x.x.x.x/x.x.x.x, such as 192.168.1.0/255.255.255.0
x.x.x.x/x, such as 192.168.1.0/24
Creating a subnet address
- Go to Policy & Objects > Objects > Addresses.
- Select Create New.
- If you use the down arrow next to Create New, select Address.
- Choose the Category, “Address”.
- Input a Name for the address object.
- Select the TypeSubnet from the dropdown menu.
- Input the host address and subnet mask in the Subnet / IP Range field.
- Select the Interface from the dropdown menu.
- Check the Visibility box.
- Input any additional information in the Comments field.
- Press OK.
Example of a Subnet address for a database server on the DMZ:
|Subnet / IP Range||192.168.50.26|
|Comments||Database server used by public facing company webservers|