https://live.paloaltonetworks.com/t5/general-topics/stupid-question-time/m-p/354094#M87393 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;</P><P>Sorry, I just saw I fat fingered my question:</P><P>Let's say I have an objected named "Pizza" with an ip of <STRONG>10.10.10.10/32</STRONG> and it is in use on a security rule.</P><P>I create another object named "Pizza1" with an ip of <STRONG>10.10.10.10/32</STRONG> and use it in a different security rule.</P><P>&nbsp;</P><P>So same IP, different name.&nbsp; How does the the Palo handle this?</P> Mon, 05 Oct 2020 17:53:22 GMT MrWonderful 2020-10-05T17:53:22Z https://live.paloaltonetworks.com/t5/general-topics/stupid-question-time/m-p/353926#M87381 <P>Let's say I have an objected named "Pizza" with an ip of 10.10.10.10/32 and it is in use on a security rule.</P><P>I create another object named "Pizza1" with an ip of&nbsp;0.10.10.10/32 and use it in a different security rule.</P><P>&nbsp;</P><P>Could that create a problem with the first rule assuming different let's say destinations or APP-ID/Ports?</P> Mon, 05 Oct 2020 12:23:59 GMT https://live.paloaltonetworks.com/t5/general-topics/stupid-question-time/m-p/353926#M87381 MrWonderful 2020-10-05T12:23:59Z https://live.paloaltonetworks.com/t5/general-topics/stupid-question-time/m-p/354038#M87388 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/149924">@MrWonderful</a>,</P> <P>Nope. The objects are actually replaced in the configuration as far as the firewall is concerned. So your firewall doesn't read the configuration as "Pizza" is allowed to send DNS requests to 8.8.8.8, it actually replaces the object with the actual address so it looks at is as "10.10.10.10/32" is allowed to send DNS requests to 8.8.8.8.&nbsp;</P> Mon, 05 Oct 2020 15:34:18 GMT https://live.paloaltonetworks.com/t5/general-topics/stupid-question-time/m-p/354038#M87388 BPry 2020-10-05T15:34:18Z https://live.paloaltonetworks.com/t5/general-topics/stupid-question-time/m-p/354094#M87393 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;</P><P>Sorry, I just saw I fat fingered my question:</P><P>Let's say I have an objected named "Pizza" with an ip of <STRONG>10.10.10.10/32</STRONG> and it is in use on a security rule.</P><P>I create another object named "Pizza1" with an ip of <STRONG>10.10.10.10/32</STRONG> and use it in a different security rule.</P><P>&nbsp;</P><P>So same IP, different name.&nbsp; How does the the Palo handle this?</P> Mon, 05 Oct 2020 17:53:22 GMT https://live.paloaltonetworks.com/t5/general-topics/stupid-question-time/m-p/354094#M87393 MrWonderful 2020-10-05T17:53:22Z https://live.paloaltonetworks.com/t5/general-topics/stupid-question-time/m-p/354095#M87394 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/149924">@MrWonderful</a>&nbsp;</P> <P>right, I kind of assumed that you had. Again, it doesn’t matter. You could have 50 address objects with different names all assigned the same address, and the firewall won’t care. When it compiles the configuration all of those objects simply get replaced with the address you have specified in the configuration.</P> <P>So really as far as the firewall is concerned, anything that you’ve specified as Pizza is just going to be replaced with 10.10.10.10/32 and anything with Pizza1 is going to be replaced with whatever you’ve configured for that object. The fact that you have multiple objects mapped to the same value doesn’t effect that process at all.&nbsp;</P> Mon, 05 Oct 2020 18:05:03 GMT https://live.paloaltonetworks.com/t5/general-topics/stupid-question-time/m-p/354095#M87394 BPry 2020-10-05T18:05:03Z https://live.paloaltonetworks.com/t5/general-topics/stupid-question-time/m-p/354096#M87395 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;Just so I understand you correctly, the Palo basically treats each object individually within each rule set.</P><P>&nbsp;</P><P>So that Pizza with a&nbsp;<SPAN>10.10.10.10/32 in rule number one doesn't get confused with Pizza1&nbsp;with a&nbsp;10.10.10.10/32 in rule number two and wouldn't get confused with Pizza2&nbsp;with a&nbsp;10.10.10.10/32 in rule number three and so on, correct?</SPAN></P> Mon, 05 Oct 2020 19:14:44 GMT https://live.paloaltonetworks.com/t5/general-topics/stupid-question-time/m-p/354096#M87395 MrWonderful 2020-10-05T19:14:44Z https://live.paloaltonetworks.com/t5/general-topics/stupid-question-time/m-p/354113#M87398 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/149924">@MrWonderful</a>,</P> <P>Correct. The firewall will simply replace the object with its configured value. The fact that you have multiple objects with the same configured value has no effect on that.</P> Mon, 05 Oct 2020 19:36:52 GMT https://live.paloaltonetworks.com/t5/general-topics/stupid-question-time/m-p/354113#M87398 BPry 2020-10-05T19:36:52Z https://live.paloaltonetworks.com/t5/general-topics/stupid-question-time/m-p/354166#M87403 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/149924">@MrWonderful</a>&nbsp;one nuance though in this specific line of questioning</P><P>Bear in mind that the firewall will not distinguish between pizza and pizza1 when it comes down to matching security rules because both have the same IP address and this is the only thing the running configuration really cares about.</P><P>This means that in this specific case both pizza and pizza1 will be hitting the same rules, even though only 1 of them may be listed in the rule</P> Mon, 05 Oct 2020 22:30:17 GMT https://live.paloaltonetworks.com/t5/general-topics/stupid-question-time/m-p/354166#M87403 reaper 2020-10-05T22:30:17Z