When adding network rules, specify addresses in Classless Inter-Domain Routing (CIDR) format. A CIDR address includes an IPv4 32-bit or IPv6 128-bit IP address, plus information on how many bits are used for the network prefix. You can use the asterisk wildcard character (*) or an IP address with a netmask to indicate a range of IP addresses. For those bits not used, the corresponding bits in the IP address must be zero. For example, to match an IPv4 Class C subnet, the last octet must be zero and the mask must be 24. The IPv6 shorthand notation (::) for compressing successive zeros is not supported. Instead, use the full representation of the IP address.
192.168.1.1/32 matches the IPv4 IP address exactly
192.168.1.0/255.255.255.0 matches an IP address with a netmask
10.*.*.254 and 10.160.*.85 matches IPv4 IP addresses with wildcards
fe80:0:0:0:0:0:0:1/128 matches the IPv6 IP address exactly
192.168.1.0/24 matches the IPv4 Class C subnet
fe80:0:0:0:0:0:0:0/10 matches all the IPv6 Link-Local IP addresses
You can use an asterisk as one or more of the four parts of an IPv4 IP address. You cannot mix asterisks and other characters in a single octet. For example, 10.*1.*.254
Make sure you verify rule order. Network rules are ordered top to bottom. Changing the rule order changes the meaning of the rules. If you place a blocking rule before a permit rule, then the policy blocks. If you place the permit rule before the block rule, then the policy allows.
The policy ignores disabled rules.
Imported Document ID: HOWTO95360
Subscribing will provide email updates when this Article is updated. Login is required.