Is there a way to paste several IP addresses into an object group or policy?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Is there a way to paste several IP addresses into an object group or policy?

L3 Networker

Suppose I wanted to create object group "blob" with 10.10.10.5 .6 .7 8. .9 - and I'm working in the PAN GUI

- is there a way to paste those five addresses into the address group? It seems like my only option is to click

Add (obj group) Add (address) and then fill at least two fields Name and ip address/mask. 

I know I can do this out at the CLI. But wondered if there were any shortcuts for adding lists of addresses in the GUI.

Thank you.

 

 ScrnGrab1360 170512 16.06.jpg

5 REPLIES 5

L4 Transporter

Hello palomed,

 

Give this a try to see if it meets your requirement,

 

Instead of creating an address object before create the security policy, just go to the security policy, in the address, just paste the address/netmask with a comma as a separator,   for example 10.0.0.1/32, 10.0.0.5/32, 10.0.0.6/32 .   

 

That won't create the address object, but the policy will still work.  You can also drag and drop "any" object in the webUI as well.

 

 

This is something I've been meaning to talk to our sales reps about as far as a feature request.  I think an Address Object Group should allow for entering standard IP/subnets without them existing as Address Objects first.  If it needs to add them that way in the system then fine but it is rather tedious to create an address object for each entry and then go add them into the group.

 

For internal stuff I don't really mind it as I always want to create an address object anyways... it's easier to find with the tags and easier to read in the policies.  For external stuff though, I don't always know what the IPs are that I get from a vendor who needs me to whitelist something.  The result is I have to create a bunch of IP address/ranges and just name them (Vendor A IP 1, Vendor A IP 2, etc.) and then add them to the group or just do what @nextgenhappines mentioned and just drop them in the security policy.  It works but aesthentically I don't find it as clean as the internal policies I do.

 

This probably has more to do with my experience with our previous ASA though... years and years of people adding IP addresses into the rules without proper documentation left me with a lot of head scratching when it was time to move them over.

@jsalmans   we stop using address object for our security policy.  If an ip address is commonly used across multiple vsys/firewalls or specific ip addresses are part of the address group.   We just create that in Panorama and push to the vsys/firewalls.  Address object needs an name and ip/netmask.  In the past, we use the name as the hostname and ip adderss as the host ip address.   Giving the SysAdmin will re-ip the system without submit a ticket to us.   It has been a pain.  Since we just care about ip address not the name of address object,  there is no point to first create an address object with the name as the ip address.   That is how we have been doing it for last 4 years.  

Why don't you use FQDN instead of IP address for address objects? That way you only have to change in your DNS if a server changes IP address (and the sysadmin presumably does that for you).

1.  5060 supports 2000 FQDN address objects,  regular address objects are 80k.  

 

2. FQDN object requires dns refresh, how do you coordiate the changes with SA?

 

3.  What happened if the DNS servers that your firewall uses got hacked, and the A record changed to 127.0.0.1?  

 

 

  • 7349 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!