1. Home
    2. PAN-OS
    3. PAN-OS® Administrator’s Guide
    4. Policy
    5. Use an Address Object to Represent IP Addresses
    6. Address Objects

    Address Objects

    An address object is a set of IP addresses that you can manage in one place and then use in multiple firewall policy rules, filters, and other functions.
    An address object is a set of IP addresses that you can manage in one place and then use in multiple firewall policy rules, filters, and other functions. There are four types of address objects:
    IP Netmask
    ,
    IP Range
    ,
    IP Wildcard Mask
    , and
    FQDN
    .
    An address object of type
    IP Netmask
    ,
    IP Range
    , or
    FQDN
     can specify IPv4 or IPv6 addresses. An address object of type
    IP Wildcard Mask
     can specify only IPv4 addresses.
    An address object of type
    IP Netmask
     requires you to enter the IP address or network using slash notation to indicate the IPv4 network or the IPv6 prefix length. For example, 192.168.18.0/24 or 2001:db8:123:1::/64.
    An address object of type
    IP Range
     requires you to enter the IPv4 or IPv6 range of addresses separated by a hyphen.
    An address object of type
    FQDN
     (for example, paloaltonetworks.com) provides further ease of use because DNS provides the FQDN resolution to the IP addresses instead of you needing to know the IP addresses and manually updating them every time the FQDN resolves to new IP addresses.
    An address object of type
    IP Wildcard Mask
     is useful if you define private IPv4 addresses to internal devices and your addressing structure assigns meaning to certain bits in the address. For example, the IP address of cash register 156 in the northeastern U.S. could be 10.132.1.156 based on these bit assignments:
    wildcard_addr_struc_example.png
    An address object of type
    IP Wildcard Mask
     specifies which source or destination addresses are subject to a Security policy rule.For example, 10.132.1.1/0.0.2.255. A zero (
    0
    ) bit in the mask indicates that the bit being compared must match the bit in the IP address that is covered by the zero. A one (
    1
    ) bit in the mask (a wildcard bit) indicates that the bit being compared need not match the bit in the IP address. The following snippets of an IP address and wildcard mask illustrate how they yield four matches:
    wildcard_snippet.png
    • You can reference an address object of type
      IP Netmask
      ,
      IP Range
      , or
      FQDN
       in a policy rule for Security, Authentication, NAT, NAT64, Decryption, DoS Protection, Policy-Based Forwarding (PBF), QoS, Application Override, or Tunnel Inspection; or in a NAT address pool, VPN tunnel, path monitoring, External Dynamic List, Reconnaissance Protection, ACC global filter, log filter, or custom report log filter.
    • You can reference an address object of type
      IP Wildcard Mask
      only in a Security policy rule.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2020 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo