Introduction
Address Objects are one of the most commonly used components in a Palo Alto firewall. They allow administrators to create reusable representations of hosts, subnets, IP ranges, FQDNs, and wildcard addresses. Instead of entering IP addresses directly into every policy, Address Objects provide a centralized and scalable way to manage network addresses.
Using Address Objects offers several benefits:
- Simplifies firewall policy management
- Improves policy readability
- Reduces configuration errors
- Enables object reuse across multiple policies
- Makes future changes easier by modifying a single object instead of multiple policies
What Are Address Objects?
An Address Object is a named reference to an IP address, subnet, range of IP addresses, FQDN, or wildcard address.
Types of Address Objects
Palo Alto Networks supports four Address Object types:
| Address Type | Description |
| IP Netmask | Single host or network subnet |
| IP Range | Continuous range of IP addresses |
| FQDN | Fully Qualified Domain Name |
| IP Wildcard Mask | Pattern-based matching using wildcard bits |
Address Object Configuration
The general workflow for creating Address Objects is:
For GUI
Objects → Addresses → Add → Configure Object
Commit.
For CLI:
configure
set address <name> <type> <value>
commit
IP Netmask Address Object
The IP Netmask Address Object is the most frequently used object type.
It can represent:
- A single host
- A subnet
- A large network
Examples:
192.168.1.10/32
10.10.10.0/24
172.16.0.0/16
Example 1: Create a Host Address Object
GUI Configuration
Navigate to:
Objects → Addresses → Add
Configure:
| Field | Value |
| Name | Web_Server |
| Type | IP Netmask |
| IP Address | 192.168.1.10/32 |
| Description | Internal Web Server |
Click OK and Commit.
CLI Configuration
configure
set address Web_Server ip-netmask 192.168.1.10/32
commit
Example 2: Create a Network Address Object
GUI Configuration
Navigate to:
Objects → Addresses → Add
Configure:
| Field | Value |
| Name | Branch_Network |
| Type | IP Netmask |
| IP Address | 10.10.10.0/24 |
Click OK and Commit.
CLI Configuration
configure
set address Branch_Network ip-netmask 10.10.10.0/24
commit
2. IP Range Address Object
IP Range objects are useful when you need to represent a specific range of addresses rather than an entire subnet.
Example Use Cases
- DHCP Pools
- Temporary address blocks
- Specific server ranges
- Legacy network environments
GUI Configuration
Navigate to:
Objects → Addresses → Add
Configure:
| Field | Value |
| Name | DHCP_Range |
| Type | IP Range |
| Value | 192.168.1.100-192.168.1.200 |
Commit the configuration.
CLI Configuration
configure
set address DHCP_Range ip-range 192.168.1.100-192.168.1.200
commit
3. FQDN Address Object
Overview
FQDN Address Objects allow the firewall to dynamically resolve a DNS hostname into one or more IP addresses.
Example:
outlook.office365.com
Instead of manually tracking changing Microsoft IP addresses, the firewall automatically updates the object based on DNS resolution.
GUI Configuration
Navigate to:
Objects → Addresses → Add
Configure:
| Field | Value |
| Name | Microsoft365 |
| Type | FQDN |
| FQDN | outlook.office365.com |
Commit the configuration.
CLI Configuration
configure
set address Microsoft365 fqdn outlook.office365.com
commit
4. IP Wildcard Mask Address Object
Overview
Wildcard Masks provide pattern-based IP matching.
A wildcard mask works differently from a subnet mask:
GUI Configuration
Navigate to:
Objects → Addresses → Add
Configure:
| Field | Value |
| Name | Branch_Wildcard |
| Type | IP Wildcard Mask |
| Value | 10.1.1.10/0.0.0.255 |
Commit the configuration.
CLI Configuration
configure
set address Branch_Wildcard ip-wildcard 10.1.1.10/0.0.0.255
commit
For CLI
Verifying Address Objects
After creating Address Objects, verify the configuration.
Show a Specific Object
show address Web_Server
Show All Address Objects
show address all
Leave a Reply