Fortinet black logo

Handbook

Address groups

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:683266
Download PDF

Address groups

Address groups are designed for ease of use in the administration of the device. If you have a number of addresses or address ranges that will commonly be treated the same or require the same security policies, you can put them into address groups, rather than entering multiple individual addresses in each policy refers to them.

The use of groups is not required. If you have a number of different addresses you could add them individually to a policy and the FortiGate firewall will process them just as quickly and efficiently as if they were in a group, but the chances are that if you have used a group once you could need to use it again and depending on the number of addresses involved entering them individually for each policy can become tedious and the likelihood of an address being missed becomes greater. If you have a number of policies using that combination of addresses it is much easier to add or subtract addresses from the group than to try and remember all of the firewall policies that combination of addresses was used in. With the group, you only have to make the one edit and it is used by any firewall policy using that address group.

Because security policies require addresses with homogenous network interfaces, address groups should contain only addresses bound to the same network interface, or to Any.

For example, if address 1.1.1.1 is associated with port1, and address 2.2.2.2 is associated with port2, they cannot be in the same group. However, if 1.1.1.1 and 2.2.2.2 are configured with an interface of Any, they can be grouped, even if the addresses involve different networks.

There are 3 Categories of Address groups to choose from:

  • IPv4 Group
  • IPv6 Group
  • Proxy Group

You cannot mix different categories of addresses within a group, so whether or not it makes sense from an administrative purpose to group certain addresses together, if some are IPv4 and some are IPv6, it cannot be done.

Creating an address group

  1. Go to Policy & Objects > Addresses.
  2. Select the down arrow next to Create New, select Address Group.
  3. Choose the Category, that is applicable to the proposed selection of addresses.
  4. Input a Group Name for the address object.

Depending on which Category has been chosen the configurations will differ slightly

IPv4 group
  1. Select the "+" in the Members field. You can select members of the group from the window that slides out from the left of the screen. It is possible to select more than 1 entry. Select the “X” icon in the field to remove an entry.
  2. Select the desired on/off toggle setting for Show in Address List.
  3. Select the desired on/off toggle setting for Static Route Configuration .
IPv6 group
  1. Select the "+" in the Members field. You can select members of the group from the window that slides out from the left of the screen. It is possible to select more than 1 entry. Select the “X” icon in the field to remove an entry.
  2. Select the desired on/off toggle setting for Show in Address List.
Proxy group
  1. Select which Type, either Source Group or Destination Group.
  2. Select the "+" in the Members field. You can select members of the group from the window that slides out from the left of the screen. It is possible to select more than 1 entry. Select the “X” icon in the field to remove an entry.
  3. Select the desired on/off toggle setting for Show in Address List.

Irrespective of the Category the groups all have the same final configuration options:

  1. Input any additional information in the Comments field.
  2. Press OK.

UUID support

Syntax:

config firewall {address|addres6|addgrp|addgrp6}

edit 1

set uuid <example uuid: 8289ef80-f879-51e2-20dd-fa62c5c51f44>

end

Address groups

Address groups are designed for ease of use in the administration of the device. If you have a number of addresses or address ranges that will commonly be treated the same or require the same security policies, you can put them into address groups, rather than entering multiple individual addresses in each policy refers to them.

The use of groups is not required. If you have a number of different addresses you could add them individually to a policy and the FortiGate firewall will process them just as quickly and efficiently as if they were in a group, but the chances are that if you have used a group once you could need to use it again and depending on the number of addresses involved entering them individually for each policy can become tedious and the likelihood of an address being missed becomes greater. If you have a number of policies using that combination of addresses it is much easier to add or subtract addresses from the group than to try and remember all of the firewall policies that combination of addresses was used in. With the group, you only have to make the one edit and it is used by any firewall policy using that address group.

Because security policies require addresses with homogenous network interfaces, address groups should contain only addresses bound to the same network interface, or to Any.

For example, if address 1.1.1.1 is associated with port1, and address 2.2.2.2 is associated with port2, they cannot be in the same group. However, if 1.1.1.1 and 2.2.2.2 are configured with an interface of Any, they can be grouped, even if the addresses involve different networks.

There are 3 Categories of Address groups to choose from:

  • IPv4 Group
  • IPv6 Group
  • Proxy Group

You cannot mix different categories of addresses within a group, so whether or not it makes sense from an administrative purpose to group certain addresses together, if some are IPv4 and some are IPv6, it cannot be done.

Creating an address group

  1. Go to Policy & Objects > Addresses.
  2. Select the down arrow next to Create New, select Address Group.
  3. Choose the Category, that is applicable to the proposed selection of addresses.
  4. Input a Group Name for the address object.

Depending on which Category has been chosen the configurations will differ slightly

IPv4 group
  1. Select the "+" in the Members field. You can select members of the group from the window that slides out from the left of the screen. It is possible to select more than 1 entry. Select the “X” icon in the field to remove an entry.
  2. Select the desired on/off toggle setting for Show in Address List.
  3. Select the desired on/off toggle setting for Static Route Configuration .
IPv6 group
  1. Select the "+" in the Members field. You can select members of the group from the window that slides out from the left of the screen. It is possible to select more than 1 entry. Select the “X” icon in the field to remove an entry.
  2. Select the desired on/off toggle setting for Show in Address List.
Proxy group
  1. Select which Type, either Source Group or Destination Group.
  2. Select the "+" in the Members field. You can select members of the group from the window that slides out from the left of the screen. It is possible to select more than 1 entry. Select the “X” icon in the field to remove an entry.
  3. Select the desired on/off toggle setting for Show in Address List.

Irrespective of the Category the groups all have the same final configuration options:

  1. Input any additional information in the Comments field.
  2. Press OK.

UUID support

Syntax:

config firewall {address|addres6|addgrp|addgrp6}

edit 1

set uuid <example uuid: 8289ef80-f879-51e2-20dd-fa62c5c51f44>

end