>
    Strata Copilot
    Use an Address Object to Represent IP Addresses
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    3. Network Security: Security Policy
    4. Policy Objects
    5. Policy Object: Addresses
    6. Use an Address Object to Represent IP Addresses
    Download PDF
    Network Security

    Use an Address Object to Represent IP Addresses

    Table of Contents

    Use an Address Object to Represent IP Addresses

    An address object can group one or more IP addresses in one or more security rules, filters, or other functions.
    Where Can I Use This?What Do I Need?
    • NGFW (Cloud Managed)
    • NGFW (PAN-OS & Panorama Managed)
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    Check for any license or role requirements for the products you're using.
    Address objects streamline the process of defining, organizing, and managing IP addresses, enabling efficient configuration of policies. They serve as placeholders for IP addresses or ranges of IP addresses, simplifying policy creation and maintenance. Instead of manually entering individual IPs repeatedly across various rules, an administrator can create an address object with a meaningful name and the associated IP address or range. This consolidation enhances the clarity and manageability of policies.
    Create an address object to group IP addresses or to specify an FQDN, and then reference the address object in a security rule, filter, or other function to avoid having to individually specify multiple IP addresses in the rule, filter, or other function.
    Once you’ve established an address object, you can seamlessly integrate it into policies. Within security rules, you can refer to the address object by its designated name, eliminating the need to input specific IP addresses. You can also reference the same address object in multiple security rules, filters, or other functions without needing to specify the same individual addresses in each use. For example, you can create an address object that specifies an IPv4 address range and then reference the address object in a Security rule, a NAT security rule, and a custom report log filter. This level of abstraction enhances policy readability and simplifies updates since changes to the address object automatically propagate across all security rules using it.
    Swiftly adjust security rules to accommodate evolving network requirements by modifying the address object, ensuring consistency and accuracy across the network's security posture.

    Create an Address Object

    Address Objects represent one or more IP addresses and then reference the address objects in one or more security rules, filters, or other functions. If you want to change the set of addresses, you change an address object once rather than change multiple security rules or filters, which reduces your operational overhead.
    Create an address object to group IP addresses or to specify an FQDN, and then reference the address object in a security rule, filter, or other function to avoid having to individually specify multiple IP addresses in the rule, filter, or other function. You can reference the same address object in multiple policy rules, filters, or other functions without needing to specify the same individual addresses in each use. For example, you can create an address object that specifies an IPv4 address range and then reference the address object in a Security rule, a NAT security rule, and a custom report log filter. You create an address object using the web interface or CLI. Changes require a commit operation to make the object a part of the configuration.
    After you create an address object:
    • You can reference an address object of type IP Netmask, IP Range, or FQDN in a security rule for Security, Authentication, NAT, NAT64, Decryption, DoS Protection, Policy-Based Forwarding (PBF), QoS, Application Override, or Tunnel Inspection; or in a NAT address pool, VPN tunnel, path monitoring, External Dynamic List, Reconnaissance Protection, ACC global filter, log filter, or custom report log filter.
    • You can reference an address object of type IP Wildcard Mask only in a Security rule.
    Follow these steps to get started.

    Create an Address Object (Strata Cloud Manager)

    Create an address object to group IP addresses or specify an FQDN, and then reference it in a rule, filter, or other function to avoid specifying multiple IP addresses in places.
    1. Create an address object.
      1. Select NGFW and Prisma AccessObjectsAddressAddresses and Add Address object by Name. The name is case-sensitive, must be unique, and can be up to 63 characters (letters, numbers, spaces, hyphens, and underscores).
      2. (Optional) Give your address object a Description.
      3. Select the Type of address object:
        • IP Netmask—Specify a single IPv4 or IPv6 address, an IPv4 network with slash notation, or an IPv6 address and prefix. For example, 192.168.80.0/24 or 2001:db8:123:1::/64. Optionally, click Resolve to see the associated FQDN (based on the DNS configuration). To change the address object type from IP Netmask to FQDN, select the FQDN and click Use this FQDN. The Type changes to FQDN and the FQDN you select appears in the text field.
        • IP Range—Specify a range of IPv4 addresses or IPv6 addresses separated by a hyphen. For example, 192.168.40.1-192.168.40.255 or 2001:db8:123:1::1-2001:db8:123:1::22.
        • IP Wildcard Mask—Specify an IP wildcard address (IPv4 address followed by a slash and a mask, which must begin with a 0). For example, 10.5.1.1/0.127.248.2. A zero (0) in the mask indicates the bit being compared must match the bit in the IP address that is covered by the zero. A one (1) in the mask (wildcard bit) indicates the bit being compared need not match the bit in the IP address covered by the one.
        • FQDN—Specify the domain name. The FQDN initially resolves at commit time. The FQDN is subsequently refreshed based on the time-to-live (TTL) of the FQDN in DNS, as long as the TTL is greater than or equal to the Minimum FQDN Refresh Time you configure (or the default of 30 seconds). The FQDN is resolved by the system DNS server or a DNS proxy object, if a proxy is configured. Click Resolve to see the associated IP address (based on the DNS configuration). To change the address object type from FQDN to IP Netmask, select an IP Netmask and click Use this address. The Type changes to IP Netmask and the IP address you select appears in the text field.
      4. (Optional) Enter one or more tags to apply to the address object.
      5. Select Save.
    2. Push Config to commit and push your changes.
    3. View logs filtered by address object, address group, or wildcard address.
      1. For example, select Incidents & AlertsLog Viewer Firewall Traffic to view traffic logs.
      2. Query the logs for the address object for which you want to view logs. Alternatively, enter an address group name or a wildcard address, such as 10.155.3.4/0.0.240.255.

    Create an Address Object (PAN-OS & Panorama)

    Create an address object to group IP addresses or specify an FQDN, and then reference it in a firewall security rule, filter, or other function to avoid specifying multiple IP addresses in places.
    1. Create an address object.
      1. Select ObjectsAddresses and Add an address object by Name. The name is case-sensitive, must be unique, and can be up to 63 characters (letters, numbers, spaces, hyphens, and underscores).
      2. Select the Type of address object:
        • IP Netmask—Specify a single IPv4 or IPv6 address, an IPv4 network with slash notation, or an IPv6 address and prefix. For example, 192.168.80.0/24 or 2001:db8:123:1::/64. Optionally, click Resolve to see the associated FQDN (based on the DNS configuration of the firewall or Panorama). To change the address object type from IP Netmask to FQDN, select the FQDN and click Use this FQDN. The Type changes to FQDN and the FQDN you select appears in the text field.
        • IP Range—Specify a range of IPv4 addresses or IPv6 addresses separated by a hyphen. For example, 192.168.40.1-192.168.40.255 or 2001:db8:123:1::1-2001:db8:123:1::22.
        • IP Wildcard Mask—Specify an IP wildcard address (IPv4 address followed by a slash and a mask, which must begin with a 0). For example, 10.5.1.1/0.127.248.2. A zero (0) in the mask indicates the bit being compared must match the bit in the IP address that is covered by the zero. A one (1) in the mask (wildcard bit) indicates the bit being compared need not match the bit in the IP address covered by the one.
        • FQDN—Specify the domain name. The FQDN initially resolves at commit time. The firewall subsequently refreshes the FQDN based on the time-to-live (TTL) of the FQDN in DNS, as long as the TTL is greater than or equal to the Minimum FQDN Refresh Time you configure (or the default of 30 seconds). The FQDN is resolved by the system DNS server or a DNS proxy object, if a proxy is configured. Click Resolve to see the associated IP address (based on the DNS configuration of the firewall or Panorama). To change the address object type from FQDN to IP Netmask, select an IP Netmask and click Use this address. The Type changes to IP Netmask and the IP address you select appears in the text field.
          (PAN-OS 12.1.2 and later 12.1 releases) Beginning with PAN-OS 12.1.2, you can optionally enable Load-balanced DNS for an FQDN address object. Thus, when queries go to load-balanced DNS servers and each server resolves the FQDN to only a subset of relevant IP addresses, the firewall accumulates a list of the resolved IP addresses it receives, rather than refresh its list with only a subset of addresses. Enabling load-balanced DNS avoids the issue of sessions breaking after a client tries to communicate with a previously provided IP address that the firewall overwrote with a new list of addresses. Load-balanced DNS also helps Security policy rules that rely on a full set of source or destination IP address for the rule matching to work properly.
      3. (Optional) Enter one or more tags to apply to the address object.
      4. Click OK.
    2. Commit your changes.
    3. View logs filtered by address object, address group, or wildcard address.
      1. For example, select MonitorLogsTraffic to view traffic logs.
      2. Select
        to add a log filter.
      3. Select the Address attribute, the in Operator, and enter the name of the address object for which you want to view logs. Alternatively, enter an address group name or a wildcard address, such as 10.155.3.4/0.0.240.255.
      4. Click Apply.
    4. View a custom report based on an address object.
      1. Select MonitorManage Custom Reports and select a report that uses a Database such as Traffic Log.
      2. Select Filter Builder.
      3. Select an Attribute such as Address, Destination Address or Source Address, select an Operator, and enter the name of the address object for which you want to view the report.
    5. Use a filter in the ACC to view network activity based on a source IP address or destination IP address that uses an address object.
      1. Select ACCNetwork Activity.
      2. View the Source IP Activity—For Global Filters, click
        to add a filter and select one of the following: Address or SourceSource Address or DestinationDestination Address and select an address object.
      3. View the Destination IP Activity—For Global Filters, click
        to add a filter and select one of the following: Address or SourceSource Address or DestinationDestination Address and select an address object.

    © 2025 Palo Alto Networks, Inc. All rights reserved.