How to Configure Address Objects in Palo Alto Networks Firewall

Introduction

Address Objects are one of the most commonly used components in a Palo Alto firewall. They allow administrators to create reusable representations of hosts, subnets, IP ranges, FQDNs, and wildcard addresses. Instead of entering IP addresses directly into every policy, Address Objects provide a centralized and scalable way to manage network addresses.

Using Address Objects offers several benefits:

  • Simplifies firewall policy management
  • Improves policy readability
  • Reduces configuration errors
  • Enables object reuse across multiple policies
  • Makes future changes easier by modifying a single object instead of multiple policies

What Are Address Objects?

An Address Object is a named reference to an IP address, subnet, range of IP addresses, FQDN, or wildcard address.

Types of Address Objects

Palo Alto Networks supports four Address Object types:

Address TypeDescription
IP NetmaskSingle host or network subnet
IP RangeContinuous range of IP addresses
FQDNFully Qualified Domain Name
IP Wildcard MaskPattern-based matching using wildcard bits

Address Object Configuration

The general workflow for creating Address Objects is:

For GUI

Objects → Addresses → Add → Configure Object

Commit.

For CLI:

configure
set address <name> <type> <value>
commit

IP Netmask Address Object

The IP Netmask Address Object is the most frequently used object type.

It can represent:

  • A single host
  • A subnet
  • A large network

Examples:

192.168.1.10/32
10.10.10.0/24
172.16.0.0/16

Example 1: Create a Host Address Object

GUI Configuration

Navigate to:

Objects → Addresses → Add

Configure:

FieldValue
NameWeb_Server
TypeIP Netmask
IP Address192.168.1.10/32
DescriptionInternal Web Server

Click OK and Commit.

CLI Configuration

configure

set address Web_Server ip-netmask 192.168.1.10/32

commit

Example 2: Create a Network Address Object

GUI Configuration

Navigate to:

Objects → Addresses → Add

Configure:

FieldValue
NameBranch_Network
TypeIP Netmask
IP Address10.10.10.0/24

Click OK and Commit.

CLI Configuration

configure

set address Branch_Network ip-netmask 10.10.10.0/24

commit

2. IP Range Address Object

IP Range objects are useful when you need to represent a specific range of addresses rather than an entire subnet.

Example Use Cases

  • DHCP Pools
  • Temporary address blocks
  • Specific server ranges
  • Legacy network environments

GUI Configuration

Navigate to:

Objects → Addresses → Add

Configure:

FieldValue
NameDHCP_Range
TypeIP Range
Value192.168.1.100-192.168.1.200

Commit the configuration.

CLI Configuration

configure

set address DHCP_Range ip-range 192.168.1.100-192.168.1.200

commit

3. FQDN Address Object

Overview

FQDN Address Objects allow the firewall to dynamically resolve a DNS hostname into one or more IP addresses.

Example:

outlook.office365.com

Instead of manually tracking changing Microsoft IP addresses, the firewall automatically updates the object based on DNS resolution.

GUI Configuration

Navigate to:

Objects → Addresses → Add

Configure:

FieldValue
NameMicrosoft365
TypeFQDN
FQDNoutlook.office365.com

Commit the configuration.

CLI Configuration

configure

set address Microsoft365 fqdn outlook.office365.com

commit

4. IP Wildcard Mask Address Object

Overview

Wildcard Masks provide pattern-based IP matching.

A wildcard mask works differently from a subnet mask:

GUI Configuration

Navigate to:

Objects → Addresses → Add

Configure:

FieldValue
NameBranch_Wildcard
TypeIP Wildcard Mask
Value10.1.1.10/0.0.0.255

Commit the configuration.

CLI Configuration

configure

set address Branch_Wildcard ip-wildcard 10.1.1.10/0.0.0.255

commit

For CLI

Verifying Address Objects

After creating Address Objects, verify the configuration.

Show a Specific Object

show address Web_Server

Show All Address Objects

show address all

com.gettechgyan@gmail.com Avatar

Leave a Reply

Your email address will not be published. Required fields are marked *