Address objects
Addresses define sources and destinations of network traffic and can be used in many functions such as firewall policies, ZTNA, etc.
To view the possible uses list of address object usage:
-
Go to Policy & Objects > Addresses.
-
Click the number under Ref. The Usage of Address:<Predefined address> pane opens, where <Predefined address> is one of the predefined addresses, such as SSLVPN_TUNNEL_ADDR1.
-
In the Usage of Address:<Predefined address> pane, click Possible Uses to view the list.
When properly set up, these address objects can be used with great flexibility to make the configuration of different functions simpler and more intuitive. When used in a firewall policy, the FortiGate compares the IP addresses contained in packet headers with a policy’s source and destination addresses to determine if the policy matches the traffic. The matching of IP addresses in packet headers is also performed for other FortiGate functions configured with address objects.
Address Types
When creating an IPv4 address, there are several different types of addresses that can be specified. Which one is chosen will depend on which method most easily yet accurately describes the addresses that you are trying to include with as few entries as possible based on the information that you have. For instance, if you are trying to describe the addresses of a specific company’s web server but do not know how extensive their web server farm is, you would be more likely to use a Fully Qualified Domain Name (FQDN) rather than a specific IP address. On the other hand, some computers do not have FQDNs and a specific IP address must be used.
The following table provides a short description of the different types of addresses:
Address type |
Description |
---|---|
Subnet |
The subnet type of address is expressed using a host address and a subnet mask. This is the most flexible of the address types because the address can refer to as little as one individual address (x.x.x.x/32) or as many as all of the available addresses (0.0.0.0/0). See Subnet and Dynamic policy — fabric devices for more information. |
IP range |
The IP range type can be used to define a continuous set of IP addresses between one specific IP address and another (inclusive). It is a flexible way to describe a continuous set of addresses while being specific and granular, without needing to fall within the boundaries of standard subnets. See IP range for more information. |
FQDN |
The Fully Qualified Domain Name (FQDN) address type accepts an address string and resolves it to one or more IP addresses. It relies on DNS to keep up with address changes without having to manually change the IP addresses on the FortiGate. See FQDN addresses for more information. FQDN can also be specified as wildcard addresses such as *.example.com. See Using wildcard FQDN addresses in firewall policies for more information. |
Geography |
Geography addresses are those determined by the country/region of origin. The IPs for the country/region is automatically determined from the Geography IP database. See Geography based addresses and IPv6 geography-based addresses for more information. |
Dynamic |
Dynamic address object can be used in the policies that support dynamic address type and comes in different subtypes such as FSSO and SDN connector dynamic addresses. See FSSO dynamic address subtype, ClearPass integration for dynamic address objects, FortiNAC tag dynamic address, and Public and private SDN connectors for more information. |
Device (Mac address) |
A MAC address is a link layer-based address type and it cannot be forwarded across different IP segments. In FortiOS, you can configure a firewall address object with a singular MAC, wildcard MAC, multiple MACs, or a MAC range. See MAC addressed-based policies, Adding MAC-based addresses to devices, ISDB well-known MAC address list, and IPv6 MAC addresses and usage in firewall policies for more information. |
Wildcard (CLI only) |
Wildcard addresses are addresses that identify ranges of IP addresses, reducing the amount of firewall addresses and security policies required to match some of the traffic on your network. See Wildcard addressing for more information. |
Interface subnet (CLI only) |
For all interfaces set to a LAN or DMZ role, an option is available and enabled by default to automatically create an address object for the connected network. If the interface’s subnet changes, the address object subnet changes too. See Interface subnet for more information. |
Address Group
Address groups are designed for ease of use in the administration of the device. If you have several addresses or address ranges that will commonly be treated the same or require the same security policies, you can put them into address groups, rather than entering multiple individual addresses in each policy that refers to them.
There are two different types of address groups and the following table provides a short description of each type:
Address group type |
Description |
---|---|
Group |
Members of an address group type group can belong to multiple address groups. See Address group, Allow empty address groups, and Address group exclusions for more information. |
Folder |
Members or an address group type folder can only belong to a single address folder. See Address folders for more information. |
When an address group with no members is configured in a firewall policy, the policy will not match any traffic and will just match the implicit deny policy. See Allow empty address groups for more information. |