IP Address Group

Use this panel to define the elements of a specific address group. This address group can then be used in a connectivity rule. All address groups must contain at least one IP address specification.

Before you begin, decide on the values and settings that you want to specify in the steps below.

Steps:

  1. Enter a name for your address group. Address group names may be 1-32 characters in length.
  2. Optionally, enter a description for your address group. Descriptions may be up to 70 characters in length.
  3. To add an IP address, click a table cell and type the IP address.
    • You can also enter another address group name that is prefixed with @. For example, to include all the IP addresses in address group AG1 into this address group, type @AG1. Alternatively, you can enter address group names by clicking Actions > Select Address Group Name and choosing one or more existing address groups to insert into this address group.
    • For IPsec or zERT, you can also enter a stack symbol name. You can either type the stack symbol name directly into the table, or click Actions > Select Stack Symbol Name. If you type the stack symbol name into the table, the name must already be configured as a stack symbol name for a stack and must be entered with a prefix of %. If you click Actions > Select Stack Symbol Name, you can select stack symbol names from a list of all configured stack symbol names. The use of stack symbol names is particularly useful within reusable rules. For more information about reusable rules, see How to take advantage of reusable rules.
  4. To modify an address, click the table cell and type the change.
  5. Click the table cell and delete it from the table.
  6. If you are copying an address group, you can copy it into the current technology perspective or into another technology perspective. By default, it will be copied to the current technology perspective.
    Rules:
    • Address groups with both IPv4 and IPv6 addresses cannot be copied to IPsec.
    • IPSec address groups with stack symbols cannot be copied to other technology perspectives.

Restrictions:

As shown in Figure 1, the maximum level of address group nesting supported is 3.
Figure 1. Nesting Level Illustration
The maximum level of address group nesting supported is 2.

IPSec: - all addresses within an address group must be the same IP version. You cannot create an address group that contains both IPv4 and IPv6 addresses. IPv4-mapped IPv6 addresses and IPv4-compatible IPv6 addresses are only permitted on data endpoints for Permit/Deny rules.

Syntax:

The following is an example of a stack symbol name:

%OSA

The following is an example of an IP address.

  • 1.2.3.4 (IPv4)
  • 1:2:3:4:5:6:7:8 (IPv6)

The following is a subnet example:

  • 1.2.3.0/24 (IPv4)
  • 1:2:3:4::/64 (IPv6)

The number that follows the slash represents the number of left-most significant bits for the address mask. For IPv4 addresses it must be an integer from 0 to 32, where 0 means all IPv4 addresses. For IPv6 addresses it must be an integer from 0 to 128, where 0 means all IPv6 addresses.

The following is a range example:

  • 1.2.3.4-1.2.3.100 (IPv4)
  • 1:2:3:4:5:6:7:0-1:2:3:4:5:6:7:8 (IPv6)

There is no default.

You have completed this panel when you have added all desired IP addresses to the group. Click OK to save the address group.