It is very convenient to create a special group in the firewall settings to which you can add both addresses and networks (a hybrid of network-group and address-group).
I was faced with the need to combine addresses, ranges, and subnets into one group, and for configuration, I have to create separate rules for the "network-group" and for the "address-group".
Example: you need to allocate these IPs to the group: 10.0.30.5-10.0.30.7, 10.0.0.12, 10.0.0.222 , 10.0.0.250 , 10.0.1.0/30 , 10.0.2.0/30 , 10.0.10.0/24
Option number 1
```
set firewall group address-group MY_GROUP address 10.0.30.5-10.0.30.7
set firewall group address-group MY_GROUP address 10.0.0.12
set firewall group address-group MY_GROUP address 10.0.0.222
set firewall group address-group MY_GROUP address 10.0.0.250
set firewall group network-group MY_GROUP_1 network 10.0.1.0/30
set firewall group network-group MY_GROUP_1 network 10.0.2.0/30
set firewall group network-group MY_GROUP_1 network 10.0.10.0/24
Can't combine network and address group for source (for this reason have to use two rules 10 and 20)
set firewall name TEST default-action drop
set firewall name TEST rule 10 action 'accept'
set firewall name TEST rule 10 source group address-group MY_GROUP
set firewall name TEST rule 10 description MY_GROUP-any
set firewall name TEST rule 20 action 'accept'
set firewall name TEST rule 20 source group network-group MY_GROUP_1
set firewall name TEST rule 20 description MY_GROUP_1-any
```
Option number 2
This is inconvenient (specify all hosts as / 32 networks)
```
set firewall group network-group MY_GROUP network 10.0.30.5/32
set firewall group network-group MY_GROUP network 10.0.30.6/32
set firewall group network-group MY_GROUP network 10.0.30.7/32
set firewall group network-group MY_GROUP network 10.0.0.12/32
set firewall group network-group MY_GROUP network 10.0.0.222/32
set firewall group network-group MY_GROUP network 10.0.0.250/32
set firewall group network-group MY_GROUP network 10.0.1.0/30
set firewall group network-group MY_GROUP network 10.0.2.0/30
set firewall group network-group MY_GROUP network 10.0.10.0/24
set firewall name TEST default-action drop
set firewall name TEST rule 10 action 'accept'
set firewall name TEST rule 10 source group address-group MY_GROUP
set firewall name TEST rule 10 description MY_GROUP-any
```
Option number 3
```
set firewall group "hybrid"-group MY_GROUP address 10.0.30.5-10.0.30.7
set firewall group "hybrid"-group MY_GROUP address 10.0.0.12
set firewall group "hybrid"-group MY_GROUP address 10.0.0.222
set firewall group "hybrid"-group MY_GROUP address 10.0.0.250
set firewall group "hybrid"-group MY_GROUP network 10.0.1.0/30
set firewall group "hybrid"-group MY_GROUP network 10.0.2.0/30
set firewall group "hybrid"-group MY_GROUP network 10.0.10.0/24
set firewall name TEST default-action drop
set firewall name TEST rule 10 action 'accept'
set firewall name TEST rule 10 source group "hybrid"-group MY_GROUP
set firewall name TEST rule 10 description MY_GROUP-any
```
The "hybrid" group allows us to configure more flexible traffic filtering rules and reduce configuration.
Possible completions:
<x.x.x.x> IPv4 address to match
<x.x.x.x>-<x.x.x.x> IPv4 range to match (e.g. 10.0.0.1-10.0.0.200)
<x.x.x.x/x> IPv4 Subnet to match