Address Objects
An address object is a set of IP addresses that you can
manage in one place and then use in multiple firewall policy rules,
filters, and other functions.
An address object is a set of IP addresses that you
can manage in one place and then use in multiple firewall policy
rules, filters, and other functions. There are four types of address
objects:
IP Netmask
, IP Range
, IP
Wildcard Mask
, and FQDN
.An address object of type
IP Netmask
, IP Range
,
or FQDN
can specify IPv4 or IPv6 addresses. An
address object of type IP Wildcard Mask
can
specify only IPv4 addresses.An address object of type
IP Netmask
requires
you to enter the IP address or network using slash notation to indicate
the IPv4 network or the IPv6 prefix length. For example, 192.168.18.0/24
or 2001:db8:123:1::/64.An address object of type
IP Range
requires
you to enter the IPv4 or IPv6 range of addresses separated by a
hyphen.An address object of type
FQDN
(for example,
paloaltonetworks.com) provides further ease of use because DNS provides
the FQDN resolution to the IP addresses instead of you needing to
know the IP addresses and manually updating them every time the
FQDN resolves to new IP addresses.An address object of type
IP Wildcard
Mask
is useful if you define private IPv4 addresses
to internal devices and your addressing structure assigns meaning
to certain bits in the address. For example, the IP address of cash register
156 in the northeastern U.S. could be 10.132.1.156 based on these
bit assignments:
An address object of type
IP Wildcard Mask
specifies which
source or destination addresses are subject to a Security policy
rule. For example, 10.132.1.1/0.0.2.255. A zero (0
)
bit in the mask indicates that the bit being compared must match
the bit in the IP address that is covered by the zero. A one (1
) bit
in the mask (a wildcard bit) indicates that the bit being compared
need not match the bit in the IP address. The following snippets
of an IP address and wildcard mask illustrate how they yield four
matches:
After you Create an Address Object:
- You can reference an address object of typeIP Netmask,IP Range, orFQDNin a policy rule for Security, Authentication, NAT, NAT64, Decryption, DoS Protection, Policy-Based Forwarding (PBF), QoS, Application Override, or Tunnel Inspection; or in a NAT address pool, VPN tunnel, path monitoring, External Dynamic List, Reconnaissance Protection, ACC global filter, log filter, or custom report log filter.
- You can reference an address object of typeIP Wildcard Maskonly in a Security policy rule.
