09-06-2022 05:17 PM
This properly confuses me every time I look at it. Is anyone able to explain in very simple terms how to work out what the mask should be?
For example: We have an IP scheme that looks like 10.x.128.0/24 where the x changes for each site. We have been using an IP Wildcard address object of 10.128.128.0/0.127.127.255 which seems to have been working for sites 10.[128-201].128.0/24 but now we have a site that uses 10.224.128.0/24 and the wildcard address object does not seem to match it.
What is our address object of 10.128.128.0/0.127.127.255 actually covering?
How can I understand easily how to work out what a mask should be?
11-21-2022 07:51 AM
It's not quite as easy as it may seem with the wildcard mask you're using. You need to understand how the wildcard mask works to figure out which subnets will be matched.
If your wildcard mask was 0.127.255.255, then everything from 10.128.128.0-10.255.255.255 would match. But your mask is 0.127.127.255, which means some subnets are not going to match in that range.
You'll need to do some binary comparisons to figure out what matches and what doesn't. The matching logic is opposite of subnet masking.
11-21-2022 10:14 AM
Yeah thanks - this is my challenge. I am wanting to find an easy/repeatable way of working out what a mask covers, and also what mask would be required to cover a certain range.
Any tips or tools that can be used to do this easily without going through and trying to work out binary and correlating it?
11-21-2022 09:08 PM
11-22-2022 06:33 AM
Online calculators don't provide for unusual wc masks like you have. I don't know of any that would make it easier in this case.
Do you know why it was set this way originally? Any reason you can't change to 0.127.255.255, which would simplify knowing what would match? Or you could create a new object that will match 10.224+
How is that object being used? You're matching on a lot of potentially unnecessary addresses.
11-22-2022 09:30 AM
Yeah, that is the challenge; we're not just trying to match on standard CIDR's so the traditional calculators don't seem to cover our scenario's.
We have a number of sites that use a common scheme for IP addresses, we are wanting to use these wildcards to accurately match traffic for all sites without needing to create individual objects for each site/network. e.g.
Corp Clients = 10.224.10.0/24
Corp WiFi = 10.224.88.0/24
Corp Security = 10.224.26.0/24
SCADA = 10.224.128.0/24
PLC = 10.224.129.0/24
Management = 10.224.3.0/24
etc x 20ish
Corp Clients = 10.225.10.0/24
Corp WiFi = 10.225.88.0/24
Corp Security = 10.225.26.0/24
SCADA = 10.225.128.0/24
PLC = 10.225.129.0/24
Management = 10.225.3.0/24
etc x 20ish
So the 2nd Octet changes for each site, but the 3rd octet is always the same. We want wildcard masks that match the different address objects (10.x.10.0/24, 10.x.88.0/24) etc. so we only need one address object in the policies for all sites, rather than creating 50-100 address objects for each network to cover all the sites.
To complicate it further we only want to look at addresses where the 2nd octet is 128-255 as lower numbers are unrelated to this use case.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!