https://live.paloaltonetworks.com/t5/general-topics/difference-between-address-groups-and-regions/m-p/45475#M33426 <HTML><HEAD></HEAD><BODY><P>Andreas,</P><P></P><P>Address groups let you to group a bunch of addresses to be part of a group - say all the networks used for Sales are in Sales address group and for Accounting can be part of Accounting address group. A overlap of networks in address groups is permitted as this is custom defined. When usign Regions, we are grouping the IPs that are allocated for a particular country and these networks cannot overlap with each other. Say you have 1.1.0.0/16 in CN(China), you cannot have 1.1.1.0/24 in CL(Chile). </P><P></P><P>From your description, looks like you have an overlapping subnet between 2 countries. Verify and make sure to not have any overlapping networks between the regions.</P><P></P><P></P><P>Thanks,</P><P>Sri</P></BODY></HTML> Thu, 06 Sep 2012 15:58:03 GMT zarina 2012-09-06T15:58:03Z https://live.paloaltonetworks.com/t5/general-topics/difference-between-address-groups-and-regions/m-p/45474#M33425 <HTML><HEAD></HEAD><BODY><P>I'm trying to find more details about the differences between address groups and regions.</P><P>I added some regions to get a better reporting when I include src and dst countries.</P><P>Initially I made a mistake of naming a region the same as an existing address group. I couldn't delete it, got the error message that this object is used in a rule.</P><P>I know that in rules one can use regions also as src or dst, similar to an address group.</P><P></P><P>I imported some 100+ subnets and didn't check all of them in detail and after a commit I got an error message about subnets being already defined in other regions or overlapping subnets. Did only complain about that for the regions, not for the address groups ?</P><P></P><P>Is there a document available describing in more details the differences between these two object types?</P><P></P><P>Regards,</P><P>&nbsp;&nbsp; Andreas</P></BODY></HTML> Thu, 06 Sep 2012 15:35:58 GMT https://live.paloaltonetworks.com/t5/general-topics/difference-between-address-groups-and-regions/m-p/45474#M33425 AndreasB 2012-09-06T15:35:58Z https://live.paloaltonetworks.com/t5/general-topics/difference-between-address-groups-and-regions/m-p/45475#M33426 <HTML><HEAD></HEAD><BODY><P>Andreas,</P><P></P><P>Address groups let you to group a bunch of addresses to be part of a group - say all the networks used for Sales are in Sales address group and for Accounting can be part of Accounting address group. A overlap of networks in address groups is permitted as this is custom defined. When usign Regions, we are grouping the IPs that are allocated for a particular country and these networks cannot overlap with each other. Say you have 1.1.0.0/16 in CN(China), you cannot have 1.1.1.0/24 in CL(Chile). </P><P></P><P>From your description, looks like you have an overlapping subnet between 2 countries. Verify and make sure to not have any overlapping networks between the regions.</P><P></P><P></P><P>Thanks,</P><P>Sri</P></BODY></HTML> Thu, 06 Sep 2012 15:58:03 GMT https://live.paloaltonetworks.com/t5/general-topics/difference-between-address-groups-and-regions/m-p/45475#M33426 zarina 2012-09-06T15:58:03Z https://live.paloaltonetworks.com/t5/general-topics/difference-between-address-groups-and-regions/m-p/45476#M33427 <HTML><HEAD></HEAD><BODY><P>Hi Sri,</P><P></P><P>thanks for the fast answer.</P><P></P><P>So to summarize:</P><P>- the way one defines address groups and regions is slightly different, but in the end they both contain IP address ranges</P><P>- both can be used in security rules as src or dst</P><P>- regions are checked for overlapping addresses, adress groups not</P><P></P><P>Is my understanding correct?</P><P></P><P>Regards,</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Andreas</P><P><BR /> </P></BODY></HTML> Thu, 06 Sep 2012 16:06:22 GMT https://live.paloaltonetworks.com/t5/general-topics/difference-between-address-groups-and-regions/m-p/45476#M33427 AndreasB 2012-09-06T16:06:22Z https://live.paloaltonetworks.com/t5/general-topics/difference-between-address-groups-and-regions/m-p/45477#M33428 <HTML><HEAD></HEAD><BODY><P>Yes. The predefined regions we have contain the networks per the ARIN database. </P></BODY></HTML> Thu, 06 Sep 2012 16:16:02 GMT https://live.paloaltonetworks.com/t5/general-topics/difference-between-address-groups-and-regions/m-p/45477#M33428 zarina 2012-09-06T16:16:02Z