About Wildcard IPv4 Addresses

In Fireware v12.1 or higher, you can specify wildcard IPv4 addresses in aliases and policies. If you create templates for repetitive IP address patterns in your distributed enterprise, wildcard IP addresses add convenience. In a policy, you only have to specify the wildcard IP address rather than add each individual IP address.

To configure wildcard IP addresses in an alias or policy, you specify wildcard values in one or more octets in the netmask. Netmask values can be any number from 0 to 255. Values of 254 and less generate more than one IP address.

A built-in IP address calculator generates a list of wildcard IP addresses from the base IP address and netmask you specify. The calculator does not verify whether the base IP address and netmask are valid. If the base IP address and netmask are not valid, an error appears when you try to save the settings. For the wildcard settings to be valid, all bits with a value of zero in the base IP address must have a value of zero in the netmask bits.

The list of wildcard IP addresses is continuous or non-continuous based on the wildcard netmask you specify. If the list exceeds 256 entries, only the first 256 wildcard IP addresses are shown.

Example Deployment

Wildcard IPv4 addresses are most commonly used on networks with a large number of remote sites.

In one example, the remote sites on your network are retail stores. Each store has a Firebox managed by a Management Server. A local DNS server exists behind the Firebox at each site. The local DNS server responds to DNS queries from computers on the local network. You do not want computers on the local network to access the Internet for DNS queries. However, the local DNS server must connect to public DNS servers on the Internet.

You create an IP address plan that uses an octet in the IP address to identify the network at each store. Optionally, you could specify the store number for this octet to better identify the network. Another octet identifies a local resource at each store.

In this example, you specify a wildcard IP address of 10.0.0.3/255.255.0.255 which generates a continuous list of 256 wildcard IP addresses. The third octet in the IP address identifies the network at each store and also matches the store number. The fourth octet of .3 identifies the DNS server at each store:

  • 10.0.1.3 — Local DNS server at Store 1
  • 10.0.2.3 — Local DNS server at Store 2
  • 10.0.3.3 — Local DNS server at Store 3

In the Device Management Template for the store Fireboxes, you create one DNS policy for all of your retail stores. Rather than add each individual IP address to the policy, you can specify the 10.0.0.3/255.255.0.255 wildcard IP address.

Example Wildcard IPv4 Addresses

These examples show a few ways you can specify a list of wildcard IP addresses. Use the wildcard calculator in the Add Member dialog box to generate a list of wildcard IP addresses based on the settings you specify.

The base IP address 10.0.0.5 and the netmask 255.255.0.255 generate a continuous list of 256 wildcard IP addresses in this sequence:

  • 10.0.0.5
  • 10.0.1.5
  • 10.0.2.5
  • 10.0.3.5

The base IP address 10.0.1.0 and the netmask 255.255.255.0 generate a continuous list of 256 wildcard IP addresses in this sequence:

  • 10.0.1.0
  • 10.0.1.1
  • 10.0.1.2
  • 10.0.1.3

You can specify bits other than zero in the wildcard netmask. For example, the base IP address 10.0.0.1 and the netmask 255.255.255.249 generate a non-continuous list of four wildcard IP addresses:

  • 10.0.1.1
  • 10.0.1.3
  • 10.0.1.5
  • 10.0.1.7

Related Topics

Use Wildcard IP Addresses in Policies and Aliases