FortiGate0

Address Object Naming Best Practices

By Jonathan TorianPosted on
Time to Read:-words

Next generation firewalls have a concept of using objects within firewall policies.  There are many benefits to this such as:

  • Ability to reuse a single object in multiple firewall rules.
  • If object is used in multiple places but requires a change, only the object needs to be modified instead of each individual rule where it is referenced.
  • Simplifies templating the configuration to be deployed over multiple distinct locations.

There are a host of other reasons why the concept of objects has been adapted but that is out of scope for this post.  Instead, I want to focus on the best practices I have used when creating these objects on the FortiGate.

  • Always use lower case letters when defining your network objects
  • Do not use special characters (with the exception of “-”, “_” and “.”) when defining the objects
  • Do not use spaces when using multiple words, instead, use hyphen (-) or undercore (_)
  • Descriptively name your objects

Address Objects

Important Tip: When defining address objects, do not use the network address within the object name when you are deploying multiple sites with the same policy.

IP/Netmask (Subnet)

When creating a network object, determine up with a descriptive name for the network and preface the network object with an “n” for network.  It should follow the nomenclature:

n-<descriptive_name>

For example, if I have a home network that my IP cameras are on and they belong to the 192.168.1.0/24 network, I would have the following entry in my FortiGate:

CLI
config firewall address
     edit "n-home_ip_cameras"
         set subnet 192.168.1.0 255.255.255.0
     next
 end
GUI

IP Range

When creating a range of network addresses, determine up with a descriptive name for the network and preface the range object with a “r” for network.  It should follow the nomenclature:

r-<descriptive_name>

For example, if I have a home network and my IP cameras are in the specific range of 192.168.1.10 – 192.168.1.15, I would have the following entry in my FortiGate:

CLI
config firewall address
     edit "r-home_ip_cameras"
         set type iprange
         set start-ip 192.168.1.10
         set end-ip 192.168.1.15
     next
 end
GUI

Fully Qualified Domain Name (FQDN)

When creating a FQDN object, just use the FQDN as the object name.  There is no need to preface this object because it is unique as it will only correspond to one type of object.  For example, if I were defining an object to “www.google.com”, I would have the following entry on my FortiGate:

CLI
config firewall address
     edit "www.google.com"
         set type fqdn
         set fqdn "www.google.com"
     next
 end
GUI

Geography

When creating an address object for geography, use the country name for the object name and preface the network object with an “g” for geography. It should follow the nomenclature:

g-<country_name>

For example, if I want to create a geography object for Canada, I would have the following entry in my FortiGate:

CLI
config firewall address
     edit "g-canada"
         set type geography
         set country "CA"
     next
 end
GUI
0 0 votes
Article Rating

Leave a Reply

0 Comments
Inline Feedbacks
View all comments