10-05-2020 05:23 AM
Let's say I have an objected named "Pizza" with an ip of 10.10.10.10/32 and it is in use on a security rule.
I create another object named "Pizza1" with an ip of 0.10.10.10/32 and use it in a different security rule.
Could that create a problem with the first rule assuming different let's say destinations or APP-ID/Ports?
10-05-2020 11:05 AM
right, I kind of assumed that you had. Again, it doesn’t matter. You could have 50 address objects with different names all assigned the same address, and the firewall won’t care. When it compiles the configuration all of those objects simply get replaced with the address you have specified in the configuration.
So really as far as the firewall is concerned, anything that you’ve specified as Pizza is just going to be replaced with 10.10.10.10/32 and anything with Pizza1 is going to be replaced with whatever you’ve configured for that object. The fact that you have multiple objects mapped to the same value doesn’t effect that process at all.
10-05-2020 08:34 AM
Nope. The objects are actually replaced in the configuration as far as the firewall is concerned. So your firewall doesn't read the configuration as "Pizza" is allowed to send DNS requests to 8.8.8.8, it actually replaces the object with the actual address so it looks at is as "10.10.10.10/32" is allowed to send DNS requests to 8.8.8.8.
10-05-2020 10:53 AM
Sorry, I just saw I fat fingered my question:
Let's say I have an objected named "Pizza" with an ip of 10.10.10.10/32 and it is in use on a security rule.
I create another object named "Pizza1" with an ip of 10.10.10.10/32 and use it in a different security rule.
So same IP, different name. How does the the Palo handle this?
10-05-2020 11:05 AM
right, I kind of assumed that you had. Again, it doesn’t matter. You could have 50 address objects with different names all assigned the same address, and the firewall won’t care. When it compiles the configuration all of those objects simply get replaced with the address you have specified in the configuration.
So really as far as the firewall is concerned, anything that you’ve specified as Pizza is just going to be replaced with 10.10.10.10/32 and anything with Pizza1 is going to be replaced with whatever you’ve configured for that object. The fact that you have multiple objects mapped to the same value doesn’t effect that process at all.
10-05-2020 12:14 PM
@BPry Just so I understand you correctly, the Palo basically treats each object individually within each rule set.
So that Pizza with a 10.10.10.10/32 in rule number one doesn't get confused with Pizza1 with a 10.10.10.10/32 in rule number two and wouldn't get confused with Pizza2 with a 10.10.10.10/32 in rule number three and so on, correct?
10-05-2020 12:36 PM
Correct. The firewall will simply replace the object with its configured value. The fact that you have multiple objects with the same configured value has no effect on that.
10-05-2020 03:30 PM
@MrWonderful one nuance though in this specific line of questioning
Bear in mind that the firewall will not distinguish between pizza and pizza1 when it comes down to matching security rules because both have the same IP address and this is the only thing the running configuration really cares about.
This means that in this specific case both pizza and pizza1 will be hitting the same rules, even though only 1 of them may be listed in the rule
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
