FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home

Video

FortiGuard

Fuse

KB

Support

  • All Files

Home > Online Help

> Chapter 9 - Firewall > Firewall objects > Address Groups

Address groups

Address groups are designed for ease of use in the administration of the device. If you have a number of addresses or address ranges that will commonly be treated the same or require the same security policies, you can put them into address groups, rather than entering multiple individual addresses in each policy refers to them.

The use of groups is not required. If you have a number of different addresses you could add them individually to a policy and the FortiGate firewall will process them just as quickly and efficiently as if they were in a group, but the chances are that if you have used a group once you could need to use it again and depending on the number of addresses involved entering them individually for each policy can become tedious and the likelihood of an address being missed becomes greater. If you have a number of policies using that combination of addresses it is much easier to add or subtract addresses from the group than to try and remember all of the firewall policies that combination of addresses was used in. With the group, you only have to make the one edit and it is used by any firewall policy using that address group.

Because security policies require addresses with homogenous network interfaces, address groups should contain only addresses bound to the same network interface, or to Any.

For example, if address 1.1.1.1 is associated with port1, and address 2.2.2.2 is associated with port2, they cannot be in the same group. However, if 1.1.1.1 and 2.2.2.2 are configured with an interface of Any, they can be grouped, even if the addresses involve different networks.

IPv4 address groups and IPv6 address groups are created and treated separately. You cannot mix IPv4 firewall addresses and IPv6 firewall addresses in the same address group. Because the Internet is currently based on IPv4 addresses IPv6 address groups cannot include FQDN or Geography based addresses.

Creating an address group

The method for creating either a IPv4 group or an IPv6 group is idential except for the selection of Type.

  1. Go to Policy & Objects > Objects > Addresses.
  2. Select the down arrow next to Create New, select Address Group.
  3. Choose the Type, that is applicable to the proposed sellection of addresses.
  4. Input a Group Name for the address object.
  5. Check the Show in Address List box.
  6. Next to Members there is a dropdown menu that can be used to select from the available Address objects. It is possible to select more than 1 entry. Just select the green plus sign next to the field to add an additional entry. Select the “X” icon in the field to remove an entry.
  7. Input any additional information in the Comments field.
  8. Press OK.

UUID support

Syntax:

config firewall {address|addres6|addgrp|addgrp6}

edit 1

set uuid <example uuid: 8289ef80-f879-51e2-20dd-fa62c5c51f44>

next

end

 

Copyright © 2018 Fortinet, Inc. All Rights Reserved. | Terms of Service | Privacy Policy