IP Wildcard Address not supported in Address Groups?

BBartik — Wed, 01 Mar 2023 22:15:52 GMT

I am trying to make an address group that consist of wildcard addresses but I get this error:

vpn30-wc -> static 'vpn30-v110-wc-1' is not a valid reference vpn30-wc -> static is invalid

vpn30-v110-wc-1 is an IP Wildcard

vpn30-wc is a new empty address group.

Is this not supported?

Re: IP Wildcard Address not supported in Address Groups?

Adrian_Jensen — Wed, 01 Mar 2023 23:23:34 GMT

You can use a FQDN, IP address, or IP block in an Address Group, but not an IP Wildcard. The reason is that Address Objects and Groups must be resolvable to an IP or IP block. An IP Wildcard is kind of a special Address Object (selective IP masking) that breaks that.

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-addresses

IP Wildcard Mask
—Enter an IP wildcard address in the format of an IPv4 address followed by a slash and a mask (which must begin with a zero); for example, 10.182.1.1/0.127.248.0. In the wildcard mask, a zero (0) bit indicates that the bit being compared must match the bit in the IP address that is covered by the 0. A one (1) bit in the mask is a wildcard bit, meaning the bit being compared need not match the bit in the IP address that is covered by the 1. Convert the IP address and the wildcard mask to binary. To illustrate the matching: on binary snippet 0011, a wildcard mask of 1010 results in four matches (0001, 0011, 1001, and 1011).

You can use an address object of type IP Wildcard Mask only in a Security policy rule.

topic Re: IP Wildcard Address not supported in Address Groups? in General Topics

IP Wildcard Address not supported in Address Groups?

Re: IP Wildcard Address not supported in Address Groups?