Use an Address Object to Represent IP Addresses

Table of Contents

Use an Address Object to Represent IP Addresses

An address object can group one or more IP addresses in one or more security rules, filters, or other functions.

Where Can I Use This?	What Do I Need?
NGFW (Cloud Managed) NGFW (PAN-OS & Panorama Managed) `Prisma Access (Managed by Strata Cloud Manager)` `Prisma Access (Managed by Panorama)`	Check for any license or role requirements for the products you're using.

Address objects streamline the process of defining, organizing, and managing IP addresses, enabling efficient configuration of policies. They serve as placeholders for IP addresses or ranges of IP addresses, simplifying policy creation and maintenance. Instead of manually entering individual IPs repeatedly across various rules, an administrator can create an address object with a meaningful name and the associated IP address or range. This consolidation enhances the clarity and manageability of policies.

Once you’ve established an address object, you can seamlessly integrate it into policies. Within security rules, you can refer to the address object by its designated name, eliminating the need to input specific IP addresses. You can also reference the same address object in multiple security rules, filters, or other functions without needing to specify the same individual addresses in each use. For example, you can create an address object that specifies an IPv4 address range and then reference the address object in a Security rule, a NAT security rule, and a custom report log filter. This level of abstraction enhances policy readability and simplifies updates since changes to the address object automatically propagate across all security rules using it.

Swiftly adjust security rules to accommodate evolving network requirements by modifying the address object, ensuring consistency and accuracy across the network's security posture.

Create an Address Object

Address Objects represent one or more IP addresses and then reference the address objects in one or more security rules, filters, or other functions. If you want to change the set of addresses, you change an address object once rather than change multiple security rules or filters, which reduces your operational overhead.

Create an address object to group IP addresses or to specify an FQDN, and then reference the address object in a security rule, filter, or other function to avoid having to individually specify multiple IP addresses in the rule, filter, or other function. You can reference the same address object in multiple policy rules, filters, or other functions without needing to specify the same individual addresses in each use. For example, you can create an address object that specifies an IPv4 address range and then reference the address object in a Security rule, a NAT security rule, and a custom report log filter. You create an address object using the web interface or CLI. Changes require a commit operation to make the object a part of the configuration.

After you create an address object:

You can reference an address object of type IP Netmask, IP Range, or FQDN in a security rule for Security, Authentication, NAT, NAT64, Decryption, DoS Protection, Policy-Based Forwarding (PBF), QoS, Application Override, or Tunnel Inspection; or in a NAT address pool, VPN tunnel, path monitoring, External Dynamic List, Reconnaissance Protection, ACC global filter, log filter, or custom report log filter.
You can reference an address object of type IP Wildcard Mask only in a Security rule.

Follow these steps to get started.

Addresses Fields

Network Security Docs

Use an Address Object to Represent IP Addresses

Network Security Docs

Use an Address Object to Represent IP Addresses

Create an Address Object

Activation & Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner