Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
chanm
Staff
Staff

Created on ‎08-11-2024 04:45 AM

Article Id 332021

Technical Tip: Retrieve IP addresses of all member address objects in address group in text-based format

Description This article describes how to retrieve all IP addresses associated with an address group in the CLI.
Scope All FortiOS versions.
Solution

When there are many address objects in an address group, it can be difficult to get the full list of IP addresses of all member address objects from the GUI.

 

The iprope table contains the various policies/objects that FortiOS checks when assessing how traffic should be handled. The iprope entry for a firewall policy will list all IPs of Subnet-based address objects, IP Range-based address objects, as well as any IPs resolved for FQDN-based address objects that are referenced in the firewall policy.

 

For example, consider the following configuration:

 

config firewall address

    edit "VPN_IP_Range"

        set type iprange

        set start-ip 172.29.0.1

        set end-ip 172.29.0.2

    next

    edit "support.fortinet.com FQDN"

        set type fqdn

        set fqdn "support.fortinet.com"

    next

    edit "10.0.0.0/8"

        set subnet 10.0.0.0 255.0.0.0

    next

end

config firewall addrgrp

    edit "Address_Group"

        set member "VPN_IP_Range" "support.fortinet.com FQDN" "10.0.0.0/8"

    next

end

 

  1. Create a firewall policy that only has the address group in either the Source or Destination field. This firewall policy will need to be enabled for the iprope entry to be active, so the firewall policy should be configured in a way that will not impact production traffic (i.e. set the Incoming/Outgoing Interface to an unused or loopback interface).
    Alternatively, if the address group is already used in an existing firewall policy as the sole Source or Destination, then that policy can be used instead for the next steps.

  2. Open the FortiGate CLI and run diagnose firewall iprope list 0x100004. This command returns the iprope table entries related to firewall policies.

  3. Search the output for the index of the firewall policy created in step 1. The output will be similar to the following:

 

policy index=5555 uuid_idx=685 action=accept

flag (8010000): master pol_stats

flag2 (4000): resolve_sso

flag3 (a0): link-local best-route

schedule(always)

cos_fwd=255  cos_rev=255

group=00100004 av=00000000 au=00000000 split=00000000

host=0 chk_client_info=0x0 app_list=0 ips_view=0

misc=0

zone(1): 31 -> zone(1): 31

source(2): 10.0.0.0-10.255.255.255, uuid_idx=684, 172.29.0.1-172.29.0.2, uuid_idx=684,

dest(1): 0.0.0.0-255.255.255.255, uuid_idx=538,

source fqdn address (1):  uuid_idx=684

        support.fortinet.com ID(227)

        ADDR(63.137.229.1)

 

service(1):

        [0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto

 

  1. Depending on whether the address group was added to the Source or Destination of the firewall policy or not, review the source or destination output of the iprope entry to get all IP addresses associated with the address group. Note that in some cases, there may be multiple iprope entries for a single firewall policy.
896
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.