Wildcard Address Support in Security Policy Rules

When you assign private IPv4 addresses to internal devices, you can use an IP addressing structure that assigns meaning to certain bits in the IP address. For example, the first three bits in the third octet of an IP address signify the device type. This structure helps you easily identify details about a device, such as device type or location, based on the IP address of the device.

You can now use this same IP addressing structure in Security policy rules on your firewall for easier deployment. You create an address object that uses a wildcard address (IP address and wildcard mask separated by a slash, such as 10.1.2.3/0.127.248.0). A wildcard address can identify many source or destination addresses in a single Security policy rule, which is especially helpful for data center firewalls serving many devices. You won’t have to manage an unnecessarily large number of address objects to cover all the matching IP addresses or use less restrictive Security policy rules than you need due to IP address capacity constraints.

For example, suppose you use the IPv4 addressing scheme shown in the following figure where the first octet represents your organization (bits 00001010 are fixed). In the second octet, the first four bits designate the country where the network device is located (1000 indicates the U.S.) and the last four bits indicate the region (0100 indicates the northeast). In the third octet, the first four bits are zeros and the last four bits indicate device type (0001 indicates cash register and 0011 indicates printer). The last octet indicates the ID number of the networking device.

Based on that structure, the IP address of cash register number 156 in the northeastern U.S. would be 10.132.1.156:

You can use an address object of type

IP Wildcard Mask

to support such an addressing structure in a Security policy rule. You apply a wildcard mask to an IPv4 source or destination address to specify which addresses are subject to the rule. In a Palo Alto Networks wildcard mask, a zero bit indicates that the bit being compared must match the bit in the IP address that is covered by the zero. A one bit in the mask is a wildcard or “ignore” bit, meaning the bit being compared need not match the bit in the IP address. For example, the following snippets of an IP address and wildcard mask illustrate how they yield four matches:

Not all vendors use a one as a wildcard bit and a zero as a matching bit.

In the example, cash registers have an IPv4 address with the third octet 00000001 and printers have an IPv4 address with the third octet 00000011. Suppose you want to apply a Security policy rule to all cash registers and printers having any ID number from 0 to 255. To get that result, you need a wildcard mask; the third octet of the wildcard mask must be 2 and the device ID (the fourth octet) must be 255. The address object to specify all cash registers and printers in the northeastern U.S. would use wildcard address 10.132.1.2/0.0.2.255:

Thus, a single Security policy rule that uses an address object with wildcard address 10.132.1.2/0.0.2.255 as the destination address matches the addresses of 512 devices (256 cash registers + 256 printers), which is an efficient way to apply a rule to many devices.

Consider the following when you use an address object of type

IP Wildcard Mask

in a Security policy rule:

A source or destination address that uses an address object of type
IP Wildcard Mask
doesn’t support the
Negate
option.
The firewall doesn’t consider wildcard addresses when doing shadow matching, which means you won’t be warned if a Security policy rule using an address object of type
IP Wildcard Mask
overlaps a subsequent rule or is overlapped by a rule higher on the list.
If an address matches rules that have overlapping wildcard masks, the firewall chooses the match to the longest prefix in the wildcard mask, as shown in the following figure:

Create an address object that uses a wildcard address.
Select

Objects

Addresses

and

Add

an address object.

For

Type

, select

IP Wildcard Mask

and enter the IPv4 address and wildcard mask separated by a slash (

/

). The mask must begin with at least one zero (0). For example, 10.132.1.2/0.0.2.255.

The firewall performs Security policy matching from the top down (starting with the first rule) so place Security policy rules that use more specific wildcards closer to the top of the list of rules.

Click

OK

.


Create a Security policy rule and
Add
the
Address
object you created for the source or destination address.

Commit
your changes.
View logs, custom reports, or network activity in the ACC filtered by the address object you created.