How to Add and Verify Address Objects to Address Group and Security Policy through the CLI

Printer Friendly Page

 

To create multiple address objects and add them to groups and policies via the CLI, please follow these steps.

 

Steps

To create an address object, 'test, 'and assign it to an address group, ' test-group.'

  1. Enter configuration mode:
    > configure
  2. Create an address group
    # set address-group testgroup
  3. Create an address object with an IP address:
    # set address test1 ip-netmask 10.30.14.96/32
  4. Assign the address object to an address group:
    # set address-group testgroup static test1
  5. Commit the changes:
    # commit

 

Add the addresses group test-group to a security policy via CLI: (Or this can be done in the GUI also)

  1. Enter configuration mode:
    > configure
  2. Assign the address group to a security policy:
    # set rulebase security rules trust-DMZ action allow source testgroup
  3. Commit the changes:
    # commit

 

The following set of commands show previously defined 'test group.'

> configure
# show rulebase security rules DMZ-Trust

DMZ-Trust {
  source testgroup;
  destination any;
  service any;
  application any;
  action allow;
  source-user any;
  option {
    disable-server-response-inspection no;
  }
  negate-source no;
  negate-destination no;
  log-start no;
  log-end yes;
  from DMZ;
  to L3-Trust;
  disabled no;
  category any;
  hip-profiles any;
}

 

Verification

To view object addresses or groups on the CLI, run the following command:

# show address-group
address-group {
  testgroup {
    static [ test1 test1-1 test2 test2-1 test3];
  }
}

 

To show individual addresses, run the following command:

# show address

 

Note: For more information on CLI, please see the CLI Reference Guides in Documentation.

 

owner: djoksimovic

Comments

Step # 3:
Assign the address object to an address group:
# set address-group test-group test

The following ticket didnt work for me as indicated, I had to add "static" (or it could be dynamic if the group is dynamic) in order to be able to add an object to a group-object i.e.


# set address-group test-group static test

If I didnt I would get something like this:
Invalid syntax.
[edit]
bobodaclown@clown_shoes(active)# set address
> address address
> address-group address-group

To figure out the issue I just tabbed my way through to see what the next parameter should be.   After that it was smooth sailing.  

Thanks for the article!

Here are steps that worked for me:


set address-group IP-BLOCK-03 - create an address group

set address B-149.56.67.5 ip-netmask 149.56.67.5/32 - create an address object

set address-group IP-BLOCK-03 static B-149.56.67.5 - assign address object to the address group.

 

# show address-group 

  IP-BLOCK-03 {
    static B-149.56.67.5;

 

 

Security policies are adjusted thru GUI

 

Regards,

 

 

So it's worth noting that if you're going to create an object with multiple tags your tags can't have spaces in them--at least not as of 7.0.x, I haven't tested on 7.1.x or 8.0 yet.  Here's an example (since I couldn't find very good documentation or examples on this):

set shared address "MYOBJECTNAME" description "Some fantastic object created easily" tag [ Fantastic Tremendous Test ] ip-netmask 10.0.0.2/32

How does one add and remove individual addresses from a list of addresses defined on a rule using CLI?

@dbergin : By using the 'set' or 'delete' command in configuration mode

 

 

admin@myNGFW# show vsys vsys1 rulebase security rules rule1 

rule1 {
 ...
  source [ 192.168.0.41 192.168.0.42];
...

admin@myNGFW# delete vsys vsys1 rulebase security rules rule1 source 192.168.0.41 
                                                                                                                                                 
admin@myNGFW# show vsys vsys1 rulebase security rules rule1
rule1 {
 ...
  source 192.168.0.42;
...

you can't ommit a single address from a group object that's been added to a policy however

Thanks @reaper, but in order to insert a new source, do you have to quote all source objects including the new one or is the following example the only way to do it (as I just mentioned).

 

Note: I don't currently have a lab device to test this on

 

admin@myNGFW# show vsys vsys1 rulebase security rules rule1 

rule1 {
 ...
  source [ 192.168.0.42];
...

admin@myNGFW# set vsys vsys1 rulebase security rules rule1 source [ 192.168.0.41 192.168.0.42 ]
                                                                                                                                                 
admin@myNGFW# show vsys vsys1 rulebase security rules rule1
rule1 {
 ...
  source 192.168.0.42 192.168.0.42;
...

Hi @dbergin

 

you dont need to list all the objects when adding or deleting. you can either set/delete a single object as shown above which will not impact the other objects in the rule, or you can list several between square brackets

 

admin@myNGFW# show vsys vsys1 rulebase security rules rule1 
...
set vsys vsys1 rulebase security rules rule1 source [ 192.168.0.42 192.168.0.41 192.168.0.43 ]
...
[edit]                                                                                                                                                                
admin@myNGFW# set vsys vsys1 rulebase security rules rule1 source [ 192.168.0.45 192.168.0.44 ]
[edit] 
admin@myNGFW# show vsys vsys1 rulebase security rules rule1 ... set vsys vsys1 rulebase security rules rule1 source [ 192.168.0.42 192.168.0.41 192.168.0.43 192.168.0.45 192.168.0.44 ] ... [edit]