An address object is a set of IP addresses that you can manage in one place and then use in multiple firewall policy rules, filters, and other functions.
An address object is a set of IP addresses that you can manage in one place and then use in multiple firewall policy rules, filters, and other functions. There are four types of address object: IP Netmask, IP Range, IP Wildcard Mask, and FQDN.
An address object of type IP Netmask, IP Range, or FQDN can specify IPv4 or IPv6 addresses. An address object of type IP Wildcard Mask can specify IPv4 addresses only.
An address object of type IP Netmask requires you enter the IP address or network using slash notation to indicate the IPv4 network or the IPv6 prefix length. For example, 192.168.18.0/24 or 2001:db8:123:1::/64.
An address object of type IP Range requires you enter the IPv4 or IPv6 range of addresses separated by a hyphen.
An address object of type FQDN (for example, paloaltonetworks.com) provides further ease of use because DNS provides the FQDN resolution to the IP addresses instead of you needing to know the IP addresses and manually updating them every time the FQDN resolves to new IP addresses.
An address object of type IP Wildcard Mask is useful if you define private IPv4 addresses to internal devices and your addressing structure assigns meaning to certain bits in the address. For example, the IP address of cash register 156 in the northeastern U.S. could be 10.132.1.156 based on these bit assignments:
An address object of type IP Wildcard Mask specifies which source or destination addresses are subject to a Security policy rule, for example, 10.132.1.1/0.0.2.255. A zero (0) bit in the mask indicates that the bit being compared must match the bit in the IP address that is covered by the zero. A one bit in the mask (a wildcard bit) indicates that the bit being compared need not match the bit in the IP address. The following snippets of an IP address and wildcard mask illustrate how they yield four matches:
After you Create an Address Object:
- You can reference an address object of type IP Netmask, IP Range, or FQDN in a policy rule for Security, Authentication, NAT, NAT64, Decryption, DoS Protection, Policy-Based Forwarding (PBF), QoS, Application Override, or Tunnel Inspection; or in a NAT address pool, VPN tunnel, path monitoring, External Dynamic List, Reconnaissance Protection, ACC global filter, log filter, or custom report log filter.
- You can reference an address object of type IP Wildcard Mask in a Security policy rule only.
Create an Address Object
Create an address object to group IP addresses or specify an FQDN, and then reference the address object in a firewall policy rule, filter, or ...
Objects > Addresses
Objects > Addresses An address object can include either IPv4 or IPv6 addresses (a single IP address, a range of addresses, or a subnet), an ...
Use an Address Object to Represent IP Addresses
An address object can group one or more IP addresses in one or more policy rules, filters, or other firewall functions. ...
Wildcard Address Support in Security Policy Rules
Specify an address object that uses a wildcard address (IPv4 address/wildcard mask) as the source or destination of a Security policy rule to control access ...
Policy Objects A policy object is a single object or a collective unit that groups discrete identities such as IP addresses, URLs, applications, or users. ...
Configure Destination NAT Using Dynamic IP Addresses
Configure Destination NAT Using Dynamic IP Addresses You can use Destination NAT to translate the original destination address to a destination host or server that ...
Advanced Session Distribution Algorithms for Destination NAT
When a destination NAT address is a dynamic IP address that returns more than one address, select the method the firewall uses to distribute incoming ...
Destination NAT Destination NAT is performed on incoming packets when the firewall translates a destination address to a different destination address; for example, it translates ...