Network Security
Use an Address Object to Represent IP Addresses
Table of Contents
Use an Address Object to Represent IP Addresses
An address object can group one or more IP addresses in one or more security rules,
filters, or other functions.
Address objects streamline the process of defining, organizing, and managing IP
addresses, enabling efficient configuration of policies. They serve as placeholders
for IP addresses or ranges of IP addresses, simplifying policy creation and
maintenance. Instead of manually entering individual IPs repeatedly across various
rules, an administrator can create an address object with a meaningful name and the
associated IP address or range. This consolidation enhances the clarity and
manageability of policies.
Create an address object to group IP addresses or to specify an FQDN, and then
reference the address object in a security rule, filter, or other function to avoid
having to individually specify multiple IP addresses in the rule, filter, or other
function.
Once you’ve established an address object, you can seamlessly integrate it into
policies. Within security rules, you can refer to the address object by its designated
name, eliminating the need to input specific IP addresses. You can also reference
the same address object in multiple security rules, filters, or other functions
without needing to specify the same individual addresses in each use. For example,
you can create an address object that specifies an IPv4 address range and then
reference the address object in a Security rule, a NAT security rule, and a
custom report log filter. This level of abstraction enhances policy readability and
simplifies updates since changes to the address object automatically propagate
across all security rules using it.
Swiftly adjust security rules to accommodate evolving network requirements by modifying
the address object, ensuring consistency and accuracy across the network's security
posture.
Create an Address Object
Address
Objects represent one or more IP addresses and then reference the
address objects in one or more security rules, filters, or other functions. If you
want to change the set of addresses, you change an address object once rather
than change multiple security rules or filters, which reduces your operational
overhead.
Create an address object to group IP addresses or to specify an FQDN, and then
reference the address object in a security rule, filter, or other function to
avoid having to individually specify multiple IP addresses in the rule, filter,
or other function. You can reference the same address object in multiple policy
rules, filters, or other functions without needing to specify the same
individual addresses in each use. For example, you can create an address object
that specifies an IPv4 address range and then reference the address object in a
Security rule, a NAT security rule, and a custom report log filter. You
create an address object using the web interface or CLI. Changes require a
commit operation to make the object a part of the configuration.
After you create an address object:
- You can reference an address object of typeIP Netmask,IP Range, orFQDNin a security rule for Security, Authentication, NAT, NAT64, Decryption, DoS Protection, Policy-Based Forwarding (PBF), QoS, Application Override, or Tunnel Inspection; or in a NAT address pool, VPN tunnel, path monitoring, External Dynamic List, Reconnaissance Protection, ACC global filter, log filter, or custom report log filter.
- You can reference an address object of typeIP Wildcard Maskonly in a Security rule.
Follow these steps to get started.
Cloud Managed
Create an address object to group IP addresses or specify an FQDN, and then reference
the address object in a security rule, filter, or other function to avoid specifying multiple
IP addresses in multiple places.
- Create an address object.
- Select andAdd Addressobject byName. The name is case-sensitive, must be unique, and can be up to 63 characters (letters, numbers, spaces, hyphens, and underscores).
- (Optional) Give your address object aDescription.
- Select theTypeof address object:
- IP Netmask—Specify a single IPv4 or IPv6 address, an IPv4 network with slash notation, or an IPv6 address and prefix. For example, 192.168.80.0/24 or 2001:db8:123:1::/64. Optionally, clickResolveto see the associated FQDN (based on the DNS configuration). To change the address object type fromIP NetmasktoFQDN, select the FQDN and clickUse this FQDN. TheTypechanges toFQDNand the FQDN you select appears in the text field.
- IP Range—Specify a range of IPv4 addresses or IPv6 addresses separated by a hyphen. For example, 192.168.40.1-192.168.40.255 or 2001:db8:123:1::1-2001:db8:123:1::22.
- IP Wildcard Mask—Specify an IP wildcard address (IPv4 address followed by a slash and a mask, which must begin with a 0). For example, 10.5.1.1/0.127.248.2. A zero (0) in the mask indicates the bit being compared must match the bit in the IP address that is covered by the zero. A one (1) in the mask (wildcard bit) indicates the bit being compared need not match the bit in the IP address covered by the one.
- FQDN—Specify the domain name. The FQDN initially resolves at commit time. The FQDN is subsequently refreshed based on the time-to-live (TTL) of the FQDN in DNS, as long as the TTL is greater than or equal to theMinimum FQDN Refresh Timeyou configure (or the default of 30 seconds). The FQDN is resolved by the system DNS server or a DNS proxy object, if a proxy is configured. ClickResolveto see the associated IP address (based on the DNS configuration). To change the address object type from FQDN to IP Netmask, select an IP Netmask and clickUse this address. TheTypechanges toIP Netmaskand the IP address you select appears in the text field.
- (Optional) Enter one or more tags to apply to the address object.
- SelectSave.
- Push Configto commit and push your changes.
- View logs filtered by address object, address group, or wildcard address.
- For example, select to view traffic logs.
- Query the logs for the address object for which you want to view logs. Alternatively, enter an address group name or a wildcard address, such as 10.155.3.4/0.0.240.255.
PAN-OS & Panorama
Create an address object to group IP addresses or specify an FQDN, and then reference
the address object in a firewall security rule, filter, or other function to avoid specifying
multiple IP addresses in multiple places.
- Create an address object.
- Select andAddan address object byName. The name is case-sensitive, must be unique, and can be up to 63 characters (letters, numbers, spaces, hyphens, and underscores).
- Select theTypeof address object:
- IP Netmask—Specify a single IPv4 or IPv6 address, an IPv4 network with slash notation, or an IPv6 address and prefix. For example, 192.168.80.0/24 or 2001:db8:123:1::/64. Optionally, clickResolveto see the associated FQDN (based on the DNS configuration of the firewall or Panorama). To change the address object type fromIP NetmasktoFQDN, select the FQDN and clickUse this FQDN. TheTypechanges toFQDNand the FQDN you select appears in the text field.
- IP Range—Specify a range of IPv4 addresses or IPv6 addresses separated by a hyphen. For example, 192.168.40.1-192.168.40.255 or 2001:db8:123:1::1-2001:db8:123:1::22.
- IP Wildcard Mask—Specify an IP wildcard address (IPv4 address followed by a slash and a mask, which must begin with a 0). For example, 10.5.1.1/0.127.248.2. A zero (0) in the mask indicates the bit being compared must match the bit in the IP address that is covered by the zero. A one (1) in the mask (wildcard bit) indicates the bit being compared need not match the bit in the IP address covered by the one.
- FQDN—Specify the domain name. The FQDN initially resolves at commit time. The firewall subsequently refreshes the FQDN based on the time-to-live (TTL) of the FQDN in DNS, as long as the TTL is greater than or equal to theMinimum FQDN Refresh Timeyou configure (or the default of 30 seconds). The FQDN is resolved by the system DNS server or a DNS proxy object, if a proxy is configured. ClickResolveto see the associated IP address (based on the DNS configuration of the firewall or Panorama). To change the address object type from FQDN to IP Netmask, select an IP Netmask and clickUse this address. TheTypechanges toIP Netmaskand the IP address you select appears in the text field.
- (Optional) Enter one or more tags to apply to the address object.
- ClickOK.
- Commityour changes.
- View logs filtered by address object, address group, or wildcard address.
- For example, select to view traffic logs.
- Select
to add a log
filter. - Select theAddressattribute, theinOperator, and enter the name of the address object for which you want to view logs. Alternatively, enter an address group name or a wildcard address, such as 10.155.3.4/0.0.240.255.
- ClickApply.
- View a custom report based on an address object.
- Select and select a report that uses a Database such as Traffic Log.
- SelectFilter Builder.
- Select an Attribute such asAddress,Destination AddressorSource Address, select an Operator, and enter the name of the address object for which you want to view the report.
- Use a filter in the ACC to view network activity based on a source IP address or destination IP address that uses an address object.
- Select .
- View theSource IP Activity—For Global Filters, click
to add a
filter and select one of the following: Addressor or and select an address object.
- View theDestination IP Activity—For Global Filters, click
to add a
filter and select one of the following: Addressor or and select an address object.