It is very convenient to create a special group in the firewall settings to which you can add both addresses and networks (a hybrid of network-group and address-group).
I was faced with the need to combine addresses, ranges, and subnets into one group, and for configuration, I have to create separate rules for the "network-group" and for the "address-group".
Example: you need to allocate these IPs to the group: 10.0.30.5-10.0.30.7, 10.0.0.12, 10.0.0.222 , 10.0.0.250 , 10.0.1.0/30 , 10.0.2.0/30 , 10.0.10.0/24
Option number 1
set firewall group address-group MY_GROUP address 10.0.30.5-10.0.30.7 set firewall group address-group MY_GROUP address 10.0.0.12 set firewall group address-group MY_GROUP address 10.0.0.222 set firewall group address-group MY_GROUP address 10.0.0.250 set firewall group network-group MY_GROUP_1 network 10.0.1.0/30 set firewall group network-group MY_GROUP_1 network 10.0.2.0/30 set firewall group network-group MY_GROUP_1 network 10.0.10.0/24 Can't combine network and address group for source (for this reason have to use two rules 10 and 20) set firewall name TEST default-action drop set firewall name TEST rule 10 action 'accept' set firewall name TEST rule 10 source group address-group MY_GROUP set firewall name TEST rule 10 description MY_GROUP-any set firewall name TEST rule 20 action 'accept' set firewall name TEST rule 20 source group network-group MY_GROUP_1 set firewall name TEST rule 20 description MY_GROUP_1-any
Option number 2
This is inconvenient (specify all hosts as / 32 networks)
set firewall group network-group MY_GROUP network 10.0.30.5/32 set firewall group network-group MY_GROUP network 10.0.30.6/32 set firewall group network-group MY_GROUP network 10.0.30.7/32 set firewall group network-group MY_GROUP network 10.0.0.12/32 set firewall group network-group MY_GROUP network 10.0.0.222/32 set firewall group network-group MY_GROUP network 10.0.0.250/32 set firewall group network-group MY_GROUP network 10.0.1.0/30 set firewall group network-group MY_GROUP network 10.0.2.0/30 set firewall group network-group MY_GROUP network 10.0.10.0/24 set firewall name TEST default-action drop set firewall name TEST rule 10 action 'accept' set firewall name TEST rule 10 source group address-group MY_GROUP set firewall name TEST rule 10 description MY_GROUP-any
Option number 3
set firewall group "hybrid"-group MY_GROUP address 10.0.30.5-10.0.30.7 set firewall group "hybrid"-group MY_GROUP address 10.0.0.12 set firewall group "hybrid"-group MY_GROUP address 10.0.0.222 set firewall group "hybrid"-group MY_GROUP address 10.0.0.250 set firewall group "hybrid"-group MY_GROUP address 10.0.1.0/30 set firewall group "hybrid"-group MY_GROUP address 10.0.2.0/30 set firewall group "hybrid"-group MY_GROUP address 10.0.10.0/24 set firewall name TEST default-action drop set firewall name TEST rule 10 action 'accept' set firewall name TEST rule 10 source group "hybrid"-group MY_GROUP set firewall name TEST rule 10 description MY_GROUP-any
The "hybrid" group allows us to configure more flexible traffic filtering rules and reduce configuration.
Possible completions:
<x.x.x.x> IPv4 address to match <x.x.x.x>-<x.x.x.x> IPv4 range to match (e.g. 10.0.0.1-10.0.0.200) <x.x.x.x/x> IPv4 Subnet to match