End-of-Life (EoL)
Wildcard Address Support in Security Policy Rules
Specify an address object that uses a wildcard address
(IPv4 address/wildcard mask) as the source or destination of a Security
policy rule to control access to or from IPv4-addressed devices.
A one (
1
) in the mask is a wildcard
bit; a zero (0
) means the bit must
match.When you assign private IPv4 addresses to
internal devices, you can use an IP addressing structure that assigns
meaning to certain bits in the IP address. For example, the first
three bits in the third octet of an IP address signify the device
type. This structure helps you easily identify details about a device,
such as device type or location, based on the IP address of the
device.
You can now use this same IP addressing structure
in Security policy rules on your firewall for easier deployment.
You create an address object that uses
a wildcard address (IP address and wildcard mask separated by a
slash, such as 10.1.2.3/0.127.248.0). A wildcard address can identify
many source or destination addresses in a single Security policy
rule, which is especially helpful for data center firewalls serving
many devices. You won’t have to manage an unnecessarily large number
of address objects to cover all the matching IP addresses or use
less restrictive Security policy rules than you need due to IP address
capacity constraints.
For example, suppose you use the IPv4
addressing scheme shown in the following figure where the first
octet represents your organization (bits 00001010 are fixed). In
the second octet, the first four bits designate the country where
the network device is located (1000 indicates the U.S.) and the
last four bits indicate the region (0100 indicates the northeast).
In the third octet, the first four bits are zeros and the last four
bits indicate device type (0001 indicates cash register and 0011
indicates printer). The last octet indicates the ID number of the
networking device.

Based on
that structure, the IP address of cash register number 156 in the
northeastern U.S. would be 10.132.1.156:

You can
use an address object of type
IP Wildcard Mask
to
support such an addressing structure in a Security policy rule.
You apply a wildcard mask to an IPv4 source or destination address
to specify which addresses are subject to the rule. In a Palo Alto
Networks wildcard mask, a zero bit indicates that the bit being
compared must match the bit in the IP address that is covered by
the zero. A one bit in the mask is a wildcard or “ignore” bit, meaning
the bit being compared need not match the bit in the IP address.
For example, the following snippets of an IP address and wildcard
mask illustrate how they yield four matches:
Not
all vendors use a one as a wildcard bit and a zero as a matching
bit.
In the example, cash registers have an IPv4 address
with the third octet 00000001 and printers have an IPv4 address
with the third octet 00000011. Suppose you want to apply a Security
policy rule to all cash registers and printers having any ID number
from 0 to 255. To get that result, you need a wildcard mask; the
third octet of the wildcard mask must be 2 and the device ID (the
fourth octet) must be 255. The address object to specify all cash
registers and printers in the northeastern U.S. would use wildcard
address 10.132.1.2/0.0.2.255:

Thus, a
single Security policy rule that uses an address object with wildcard
address 10.132.1.2/0.0.2.255 as the destination address matches
the addresses of 512 devices (256 cash registers + 256 printers),
which is an efficient way to apply a rule to many devices.
Consider
the following when you use an address object of type
IP
Wildcard Mask
in a Security policy rule:- A source or destination address that uses an address object of typeIP Wildcard Maskdoesn’t support theNegateoption.
- The firewall doesn’t consider wildcard addresses when doing shadow matching, which means you won’t be warned if a Security policy rule using an address object of typeIP Wildcard Maskoverlaps a subsequent rule or is overlapped by a rule higher on the list.
- If an address matches rules that have overlapping wildcard masks, the firewall chooses the match to the longest prefix in the wildcard mask, as shown in the following figure:

- Create an address object that uses a wildcard address.
- SelectandObjectsAddressesAddan address object.
- ForType, selectIP Wildcard Maskand enter the IPv4 address and wildcard mask separated by a slash (/). The mask must begin with at least one zero (0). For example, 10.132.1.2/0.0.2.255.The firewall performs Security policy matching from the top down (starting with the first rule) so place Security policy rules that use more specific wildcards closer to the top of the list of rules.
- ClickOK.
- Create a Security policy rule andAddtheAddressobject you created for the source or destination address.
- Commityour changes.
- View logs, custom reports, or network activity in the ACC filtered by the address object you created.
Recommended For You
Recommended Videos
Recommended videos not found.