Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.6
Download PDF
Copy Link

firewall {addrgrp | addgrp6}

Use this command to configure firewall address groups used in firewall policies. You can organize related firewall addresses into firewall address groups to simplify firewall policy configuration. For example, rather than creating three separate firewall policies for three firewall addresses, you could create a firewall address group consisting of the three firewall addresses, then create one firewall policy using that firewall address group. Addresses, address groups, and virtual IPs must all have unique names to avoid confusion in firewall policies. If an address group is selected in a policy, it cannot be deleted unless it is first deselected in the policy. An address group can be a member of another address group.

config firewall addrgrp
    edit {name}
    # Configure IPv4 address groups.
        set name {string}   Address group name. size[63]
        set uuid {uuid}   Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
        config member
            edit {name}
            # Address objects contained within the group.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        set comment {string}   Comment. size[255]
        set visibility {enable | disable}   Enable/disable address visibility in the GUI.
        set color {integer}   Color of icon on the GUI. range[0-32]
        config tagging
            edit {name}
            # Config object tagging.
                set name {string}   Tagging entry name. size[63]
                set category {string}   Tag category. size[63] - datasource(s): system.object-tagging.category
                config tags
                    edit {name}
                    # Tags.
                        set name {string}   Tag name. size[64] - datasource(s): system.object-tagging.tags.name
                    next
            next
        set allow-routing {enable | disable}   Enable/disable use of this group in the static route configuration.
    next
end
config firewall addrgrp6
    edit {name}
    # Configure IPv6 address groups.
        set name {string}   IPv6 address group name. size[63]
        set uuid {uuid}   Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
        set visibility {enable | disable}   Enable/disable address group6 visibility in the GUI.
        set color {integer}   Integer value to determine the color of the icon in the GUI (1 - 32, default = 0, which sets the value to 1). range[0-32]
        set comment {string}   Comment. size[255]
        config member
            edit {name}
            # Address objects contained within the group.
                set name {string}   Address6/addrgrp6 name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
            next
        config tagging
            edit {name}
            # Config object tagging.
                set name {string}   Tagging entry name. size[63]
                set category {string}   Tag category. size[63] - datasource(s): system.object-tagging.category
                config tags
                    edit {name}
                    # Tags.
                        set name {string}   Tag name. size[64] - datasource(s): system.object-tagging.tags.name
                    next
            next
    next
end

Additional information

The following section is for those options that require additional explanation.

Syntax
config firewall {addrgrp | addrgrp6}
	{edit|delete|purge|rename|get|show} <name_str>

Managing address objects

The configuration of specific address object is the most common activity when using the config firewall address command but some commands affect the address objects as a whole.

edit

Used to select which individual policy to configure or edit values.

edit <address_group>

To get a list of all of the existing address objects, type the command:

Command Prompt (addrgrp) # edit ?
or
Command Prompt (addrgrp6) # edit ?

If you are creating a new address object, just type the name you wish to used after the edit command. If there are spaces in the name, use quotation marks.

delete

Used to delete an existing address object

delete <address_group>
  • The <address_group> can be a string of up to 64 characters.

purge

Used delete all of the existing addrgrp or addrgrp6 objects. It deletes all of the values within the table that holds the information about addrgrp or addrgrp6 objects within the VDOM.

purge
  • There are no options, parameters or qualifiers. Just use the enter key after entering the command
  • This command has a serious impact. Use cautiously.

rename

Used to change the name of the addrgrp or addrgrp6 object.

rename <address_group> to <new_address_group>

name

This field is a unique name given to represent the address group object. This settings is for both IPv4 and IPv6. This setting is first defined when using the edit command to edit an address group object that does not currently exist. The name field of an address object cannot be changed from within the object. It can be changed by using the rename command in the config firewall addrgrp or config firewall addrgrp6 context.

uuid

Each address has a Universally Unique Identifier (UUID) that is automatically assigned. It is a 128 bit value written in hexadecimal. It can be edited. This settings is for both IPv4 and IPv6.

Syntax:
set uuid <uuid>

Default value: autogenerated

Example:
config firewall addrgrp
	edit example_group
	set uuid d38e0dca-b80c-51e6-1180-6863e1b9ea9a
end

member

Defines the address objects that are members of the address group. The value is a <string> that should be the name of one of the existing address objects configured on the device. A group cannot contain both IPv4 and IPv6 address objects. Separate multiple interfaces with a space.

Syntax:
{set|append} members <name of address object> [<name of address object> ...] 
Example:
config firewall addrgrp
	edit example_group
	set member example_address1 
	or ...
	set member example_address1 example_address2
	or ... 
	append example_address3 
end

comment

Field used to store descriptive information about the address group. The field is limited to 63 characters. Enclose the string in single quotes to enter special characters or spaces. This settings is for both IPv4 and IPv6.

Syntax:
set comment <var-string>
Example:
config firewall addrgrp
			edit example.com
			set comment "Addresses for Vendor Websites"
		end

visibility

Enables or disables the ability to see the address group in the GUI. This settings is for both IPv4 and IPv6.

Syntax:
set visibility {enable | disable}

Default value: enable

Example:
config firewall addrgrp
	edit example_group
	set visibility disable
end
		

color

This setting determines the color of the icon in the GUI. There are 32 defined colors numbered 1 to 32. 0 will set the color to default which is color number 1. This settings is for both IPv4 and IPv6.

Syntax:
set color <integer>

Default value: 0

Example:
config firewall addrgrp
	edit example_group
	set color 7
end
		

tags

Used to assign a custom tag to the address group object.  The tags need to be preconfigured in config system object-tagging and the same list of tags can be used anywhere that the tag setting is available. To see what tags are available for use, use the command set tags ?. This settings is for both IPv4 and IPv6. Separate multiple values with a space.

Syntax:
{set|append|clear} tags <name_of_tag>
		
Example:
config system object-tagging
	edit example-tag1
	next 
	edit example-tag2
	next
	edit "example tag 3"
	next
end
config firewall addrgrp
    edit example.com
        config tagging
            edit example-tags
                set tags example-tag1 example-tag2
                append "example tag 3"
            next
        end
    next
end

allow-routing

Enable/disable use of this address group in the static route configuration. This option is only available for IPv4.

Syntax:
set allow-routing {enable | disable}

Default value: disable

Example:
config firewall addrgrp
	edit example_group
	set allow-routing enable
end
	

firewall {addrgrp | addgrp6}

Use this command to configure firewall address groups used in firewall policies. You can organize related firewall addresses into firewall address groups to simplify firewall policy configuration. For example, rather than creating three separate firewall policies for three firewall addresses, you could create a firewall address group consisting of the three firewall addresses, then create one firewall policy using that firewall address group. Addresses, address groups, and virtual IPs must all have unique names to avoid confusion in firewall policies. If an address group is selected in a policy, it cannot be deleted unless it is first deselected in the policy. An address group can be a member of another address group.

config firewall addrgrp
    edit {name}
    # Configure IPv4 address groups.
        set name {string}   Address group name. size[63]
        set uuid {uuid}   Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
        config member
            edit {name}
            # Address objects contained within the group.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        set comment {string}   Comment. size[255]
        set visibility {enable | disable}   Enable/disable address visibility in the GUI.
        set color {integer}   Color of icon on the GUI. range[0-32]
        config tagging
            edit {name}
            # Config object tagging.
                set name {string}   Tagging entry name. size[63]
                set category {string}   Tag category. size[63] - datasource(s): system.object-tagging.category
                config tags
                    edit {name}
                    # Tags.
                        set name {string}   Tag name. size[64] - datasource(s): system.object-tagging.tags.name
                    next
            next
        set allow-routing {enable | disable}   Enable/disable use of this group in the static route configuration.
    next
end
config firewall addrgrp6
    edit {name}
    # Configure IPv6 address groups.
        set name {string}   IPv6 address group name. size[63]
        set uuid {uuid}   Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
        set visibility {enable | disable}   Enable/disable address group6 visibility in the GUI.
        set color {integer}   Integer value to determine the color of the icon in the GUI (1 - 32, default = 0, which sets the value to 1). range[0-32]
        set comment {string}   Comment. size[255]
        config member
            edit {name}
            # Address objects contained within the group.
                set name {string}   Address6/addrgrp6 name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
            next
        config tagging
            edit {name}
            # Config object tagging.
                set name {string}   Tagging entry name. size[63]
                set category {string}   Tag category. size[63] - datasource(s): system.object-tagging.category
                config tags
                    edit {name}
                    # Tags.
                        set name {string}   Tag name. size[64] - datasource(s): system.object-tagging.tags.name
                    next
            next
    next
end

Additional information

The following section is for those options that require additional explanation.

Syntax
config firewall {addrgrp | addrgrp6}
	{edit|delete|purge|rename|get|show} <name_str>

Managing address objects

The configuration of specific address object is the most common activity when using the config firewall address command but some commands affect the address objects as a whole.

edit

Used to select which individual policy to configure or edit values.

edit <address_group>

To get a list of all of the existing address objects, type the command:

Command Prompt (addrgrp) # edit ?
or
Command Prompt (addrgrp6) # edit ?

If you are creating a new address object, just type the name you wish to used after the edit command. If there are spaces in the name, use quotation marks.

delete

Used to delete an existing address object

delete <address_group>
  • The <address_group> can be a string of up to 64 characters.

purge

Used delete all of the existing addrgrp or addrgrp6 objects. It deletes all of the values within the table that holds the information about addrgrp or addrgrp6 objects within the VDOM.

purge
  • There are no options, parameters or qualifiers. Just use the enter key after entering the command
  • This command has a serious impact. Use cautiously.

rename

Used to change the name of the addrgrp or addrgrp6 object.

rename <address_group> to <new_address_group>

name

This field is a unique name given to represent the address group object. This settings is for both IPv4 and IPv6. This setting is first defined when using the edit command to edit an address group object that does not currently exist. The name field of an address object cannot be changed from within the object. It can be changed by using the rename command in the config firewall addrgrp or config firewall addrgrp6 context.

uuid

Each address has a Universally Unique Identifier (UUID) that is automatically assigned. It is a 128 bit value written in hexadecimal. It can be edited. This settings is for both IPv4 and IPv6.

Syntax:
set uuid <uuid>

Default value: autogenerated

Example:
config firewall addrgrp
	edit example_group
	set uuid d38e0dca-b80c-51e6-1180-6863e1b9ea9a
end

member

Defines the address objects that are members of the address group. The value is a <string> that should be the name of one of the existing address objects configured on the device. A group cannot contain both IPv4 and IPv6 address objects. Separate multiple interfaces with a space.

Syntax:
{set|append} members <name of address object> [<name of address object> ...] 
Example:
config firewall addrgrp
	edit example_group
	set member example_address1 
	or ...
	set member example_address1 example_address2
	or ... 
	append example_address3 
end

comment

Field used to store descriptive information about the address group. The field is limited to 63 characters. Enclose the string in single quotes to enter special characters or spaces. This settings is for both IPv4 and IPv6.

Syntax:
set comment <var-string>
Example:
config firewall addrgrp
			edit example.com
			set comment "Addresses for Vendor Websites"
		end

visibility

Enables or disables the ability to see the address group in the GUI. This settings is for both IPv4 and IPv6.

Syntax:
set visibility {enable | disable}

Default value: enable

Example:
config firewall addrgrp
	edit example_group
	set visibility disable
end
		

color

This setting determines the color of the icon in the GUI. There are 32 defined colors numbered 1 to 32. 0 will set the color to default which is color number 1. This settings is for both IPv4 and IPv6.

Syntax:
set color <integer>

Default value: 0

Example:
config firewall addrgrp
	edit example_group
	set color 7
end
		

tags

Used to assign a custom tag to the address group object.  The tags need to be preconfigured in config system object-tagging and the same list of tags can be used anywhere that the tag setting is available. To see what tags are available for use, use the command set tags ?. This settings is for both IPv4 and IPv6. Separate multiple values with a space.

Syntax:
{set|append|clear} tags <name_of_tag>
		
Example:
config system object-tagging
	edit example-tag1
	next 
	edit example-tag2
	next
	edit "example tag 3"
	next
end
config firewall addrgrp
    edit example.com
        config tagging
            edit example-tags
                set tags example-tag1 example-tag2
                append "example tag 3"
            next
        end
    next
end

allow-routing

Enable/disable use of this address group in the static route configuration. This option is only available for IPv4.

Syntax:
set allow-routing {enable | disable}

Default value: disable

Example:
config firewall addrgrp
	edit example_group
	set allow-routing enable
end