firewall {addrgrp | addgrp6}
Use this command to configure firewall address groups used in firewall policies. You can organize related firewall addresses into firewall address groups to simplify firewall policy configuration. For example, rather than creating three separate firewall policies for three firewall addresses, you could create a firewall address group consisting of the three firewall addresses, then create one firewall policy using that firewall address group. Addresses, address groups, and virtual IPs must all have unique names to avoid confusion in firewall policies. If an address group is selected in a policy, it cannot be deleted unless it is first deselected in the policy. An address group can be a member of another address group.
config firewall addrgrp
edit {name}
# Configure IPv4 address groups.
set name {string} Address group name. size[63]
set uuid {uuid} Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
config member
edit {name}
# Address objects contained within the group.
set name {string} Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
next
set comment {string} Comment. size[255]
set visibility {enable | disable} Enable/disable address visibility in the GUI.
set color {integer} Color of icon on the GUI. range[0-32]
config tagging
edit {name}
# Config object tagging.
set name {string} Tagging entry name. size[63]
set category {string} Tag category. size[63] - datasource(s): system.object-tagging.category
config tags
edit {name}
# Tags.
set name {string} Tag name. size[64] - datasource(s): system.object-tagging.tags.name
next
next
set allow-routing {enable | disable} Enable/disable use of this group in the static route configuration.
next
end
config firewall addrgrp6
edit {name}
# Configure IPv6 address groups.
set name {string} IPv6 address group name. size[63]
set uuid {uuid} Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
set visibility {enable | disable} Enable/disable address group6 visibility in the GUI.
set color {integer} Integer value to determine the color of the icon in the GUI (1 - 32, default = 0, which sets the value to 1). range[0-32]
set comment {string} Comment. size[255]
config member
edit {name}
# Address objects contained within the group.
set name {string} Address6/addrgrp6 name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
next
config tagging
edit {name}
# Config object tagging.
set name {string} Tagging entry name. size[63]
set category {string} Tag category. size[63] - datasource(s): system.object-tagging.category
config tags
edit {name}
# Tags.
set name {string} Tag name. size[64] - datasource(s): system.object-tagging.tags.name
next
next
next
end
Additional information
The following section is for those options that require additional explanation.
Syntax
config firewall {addrgrp | addrgrp6}
{edit|delete|purge|rename|get|show} <name_str>
Managing address objects
The configuration of specific address object is the most common activity when using the config firewall address command but some commands affect the address objects as a whole.
edit
Used to select which individual policy to configure or edit values.
edit <address_group>
To get a list of all of the existing address objects, type the command:
Command Prompt (addrgrp) # edit ?
or
Command Prompt (addrgrp6) # edit ?
If you are creating a new address object, just type the name you wish to used after the edit command. If there are spaces in the name, use quotation marks.
delete
Used to delete an existing address object
delete <address_group>
- The <address_group> can be a string of up to 64 characters.
purge
Used delete all of the existing addrgrp or addrgrp6 objects. It deletes all of the values within the table that holds the information about addrgrp or addrgrp6 objects within the VDOM.
purge
- There are no options, parameters or qualifiers. Just use the enter key after entering the command
- This command has a serious impact. Use cautiously.
rename
Used to change the name of the addrgrp or addrgrp6 object.
rename <address_group> to <new_address_group>
name
This field is a unique name given to represent the address group object. This settings is for both IPv4 and IPv6. This setting is first defined when using the edit command to edit an address group object that does not currently exist.
The name field of an address object cannot be changed from within the object. It can be changed by using the rename command in the config firewall addrgrp or config firewall addrgrp6 context.
uuid
Each address has a Universally Unique Identifier (UUID) that is automatically assigned. It is a 128 bit value written in hexadecimal. It can be edited. This settings is for both IPv4 and IPv6.
Syntax:
set uuid <uuid>
Default value: autogenerated
Example:
config firewall addrgrp edit example_group set uuid d38e0dca-b80c-51e6-1180-6863e1b9ea9a end
member
Defines the address objects that are members of the address group. The value is a <string> that should be the name of one of the existing address objects configured on the device. A group cannot contain both IPv4 and IPv6 address objects. Separate multiple interfaces with a space.
Syntax:
{set|append} members <name of address object> [<name of address object> ...]
Example:
config firewall addrgrp edit example_group set member example_address1 or ... set member example_address1 example_address2 or ... append example_address3 end
comment
Field used to store descriptive information about the address group. The field is limited to 63 characters. Enclose the string in single quotes to enter special characters or spaces. This settings is for both IPv4 and IPv6.
Syntax:
set comment <var-string>
Example:
config firewall addrgrp edit example.com set comment "Addresses for Vendor Websites" end
visibility
Enables or disables the ability to see the address group in the GUI. This settings is for both IPv4 and IPv6.
Syntax:
set visibility {enable | disable}
Default value: enable
Example:
config firewall addrgrp edit example_group set visibility disable end
color
This setting determines the color of the icon in the GUI. There are 32 defined colors numbered 1 to 32. 0 will set the color to default which is color number 1. This settings is for both IPv4 and IPv6.
Syntax:
set color <integer>
Default value: 0
Example:
config firewall addrgrp edit example_group set color 7 end
tags
Used to assign a custom tag to the address group object. The tags need to be preconfigured in config system object-tagging and the same list of tags can be used anywhere that the tag setting is available. To see what tags are available for use, use the command set tags ?. This settings is for both IPv4 and IPv6.
Separate multiple values with a space.
Syntax:
{set|append|clear} tags <name_of_tag>
Example:
config system object-tagging edit example-tag1 next edit example-tag2 next edit "example tag 3" next end
config firewall addrgrp
edit example.com
config tagging
edit example-tags
set tags example-tag1 example-tag2
append "example tag 3"
next
end
next
end
allow-routing
Enable/disable use of this address group in the static route configuration. This option is only available for IPv4.
Syntax:
set allow-routing {enable | disable}
Default value: disable
Example:
config firewall addrgrp edit example_group set allow-routing enable end