Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
cpaz
Staff
Staff

Created on ‎05-28-2024 08:36 AM Edited on ‎08-15-2024 03:37 PM By Moderator

Article Id 317702

Technical Tip: Wildcard addresses usage

Description This article provides an overview of the firewall wildcard address type usage.
Scope FortiGate.
Solution

The wildcard address objects can be used in situations where we want to resume repetitive ranges/addresses like the following:

  • 192.168.X.10.
  • 10.X.Y.254.

But it's not limited to wildcard entire octets. It can be used for things like:

  • All IPs on 192.168.0.0/16 (or any classical subnet) where the last octet is odd (or even).
  • First 2 IPs in 10.1.2.0/24, skip two, then the next two and so on.
  • Select, say 4 or 8 IPs on a /24 blocks, as separated as possible from each other.

The wildcard address object is specified with a base IP address and a 'netmask'.

This 'netmask' is not limited to the traditional values (255, 254, 252...etc.), but as a bitmask that is applied to both values (the wildcard base IP address and the evaluated IP) before comparing them.

 

Creating a wildcard address for the range 10.x.20.y -10.x.21.y is not possible, as one wildcard address cannot be created on its own. It is necessary to create two wildcard addresses:

 

config firewall address

edit "example_wildcard_address"

set uuid 42e6b832-eais-51ef-xxxx-26280aa4408b

set type wildcard

set wildcard 10.0.20.0 255.0.255.0

next

end

 

config firewall address

edit "example_wildcard_address_2"

set uuid 9b1d4078-zzzz-51ef-yyyy-153d9cf27067

set type wildcard

set wildcard 10.0.21.0 255.0.255.0

next

end

 

Where X is any value and Y is any value.

 

Below are some examples of what can be achieved with this:

 

Wildcard base IP Wildcard netmask Matches
10.1.1.27 255.255.0.255 10.1.x.27, where x is any value
10.1.1.1, 10.1.1.3, 10.1.1.5, ..., 10.1.1.255 255.255.255.1 10.1.1.x where x is an odd value
10.1.1.0, 10.1.1.2, 10.1.1.4, ..., 10.1.1.254 255.255.255.1 10.1.1.x where x is an even value
10.1.1.1, 10.1.1.3, ..., 10.1.1.127 255.255.255.129 10.1.1.x where x is an odd value < 128
10.1.1.128, 10.1.1.130, ..., 10.1.1.254 255.255.255.129 10.1.1.x where x is an even value >= 128
10.1.1.0 255.255.0.252 10.1.x.y, where x is any value and y is between 0-3
10.1.1.0 255.255.255.63 10.1.1.x where x is 0, 64, 128 or 192
10.1.1.10 255.255.255.31 10.1.1.x where x is 10, 42, 74, 106, 138, 170, 202 or 234
1015
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.