Address Groups

Configuration > Templates & Policies > ACLs > Address Groups

Use the Address Groups tab to view and manage address groups in your SD-WAN network. An address group is a logical collection of IP hosts or subnets that can be referenced in source or destination matching criteria in the zone based firewall and security policies (route, QOS, optimization, and so forth). You can specify both IPs to include and IPs to exclude within a group. Groups may also be nested, meaning one address group can reference another.

NOTE: Orchestrator supports up to 8MB of address group definitions. For current usage, check the Address Groups UI.

Add an Address Group

Follow the steps below to create a new address group:

1. Click Add Group to open the Add Address Group dialog box.

   

2. Provide the following details in the fields provided:

   Field	Description
   Group name	Enter a unique name for the group, up to 64 characters long. NOTE: Group names can only contain uppercase and lowercase letters, numbers, dots, underscores, and hyphens.
   IPs to include	Enter one or more IP addresses or subnets to include in the group (see Address Group Formats below).
   IPs to exclude	Enter one or more IP addresses to exclude, in the case where you are including an IP range.
   Groups to include	Enter the name of one or more address groups to include. NOTE: Group inclusion only supports two levels of nesting. For example, if Group1 includes Group2 and Group2 includes Group3, you could not include Group1 anywhere because it already contains two levels of nested groups.
   Comment	Enter an optional comment that describes the address group and how it might be used.

3. Click Add to create the address group, or click Cancel to close the dialog box without making any changes.

Add a Rule to an Address Group

Follow the steps below to add a rule to an existing address group:

1. Select the address group to which you want to add a rule from the drop-down list above the table.

2. Click Add Rule to open the Add Rule dialog box.

   

3. Provide the details for the new rule in the fields provided (see field descriptions in Add an Address Group).

4. Click Add to create the rule or click Cancel to close the dialog box without making any changes.

Delete an Address Group

Follow the steps below to delete an address group:

1. Select the address group you want to delete from the drop-down list above the table.

2. Click Delete Group.

   A confirmation dialog box opens.

3. Click Delete to confirm your choice and permanently remove the selected group and all of its rules. Otherwise, click Cancel to return to the list without deleting the group.

Export Address Groups

You can export the current address groups to a CSV file as a backup to make bulk modifications outside of the Orchestrator UI.

To export address groups:

1. Click Export CSV.

2. In the save dialog box, browse to the location where you want to save the file, provide a name for the file, and then click Save.

3. Open the saved file in Excel or another program to view or modify its contents.

   

   NOTE: When editing exported rules and address groups, you can modify the included or excluded IPs, included groups, or comments to overwrite the same rule when imported. If you modify the group name on a rule, however, it will create a new rule when imported.

Import Address Groups

To import address groups from a CSV file:

NOTE: You can import a file that was exported and modified, or a new file that contains data in the same rows and columns as the exported file. Columns are ordered as Name, Included IPs, Excluded IPs, Included Groups, and Comment. The first row of the import file will be ignored.

1. Click Bulk Import to open the Address Groups - Bulk Upload dialog box.

   

2. Click Choose File, locate and select the CSV file to be imported, and then click Open.

3. Review the groups and rules to be imported.

4. Click Save to import the file and merge with or replace the existing address groups, or click Cancel to close the dialog box without making any changes.

View a Single Address Group

By default, all address groups are displayed in the table on the Address Groups tab. To filter the table to a single address group, select the group from the drop-down list above the table.

NOTE: You can only add rules to an existing group when viewing a single address group. You cannot add a group with the same name as an existing group.

Edit or Delete a Rule

To edit or delete an existing rule, click the edit icon to the right of the rule. The Edit Rule dialog box opens.

• To edit the rule, modify the available fields, and then click Save.

• To delete the rule, click Delete.

Using Address Groups in Match Criteria

When specifying match criteria for IP/Subnet, you can use an address group by enabling the Src:Dest and Groups options.

Requirement and Behavior of Excluded IPs in Nested Groups

When you nest address groups, only the included IPs from the referenced (nested) group are considered for policy matching. Any IPs specified in the “exclude” field of the nested group are not evaluated or inherited by the parent group.

• Excluded IPs are local to the group in which they are defined. If you create Group A and exclude certain IPs, and then nest Group A inside Group B, Group B will only inherit the included IPs from Group A. The excluded IPs from Group A do not propagate to Group B and are not considered when Group B is used in policy match criteria.

• This behavior prevents unintended exclusions and maintains predictable, explicit group definitions. Each group’s exclusions apply only when that group is referenced directly in a policy or configuration.

• Observe the following best practice. If you need to exclude specific IPs across multiple nested groups, you must explicitly exclude those IPs in each parent group where exclusion is required.

Example

Suppose you have:

• Group A:

Include: 10.1.1.0/24

Exclude: 10.1.1.10

• Group B:

Include: Group A, 10.2.2.0/24

Exclude: 10.2.2.20

When Group B is used in a policy, the excluded IP 10.1.1.10 from Group A is not automatically excluded by Group B. To exclude 10.1.1.10 when using Group B, you must add it to Group B’s exclude list.

Troubleshooting and Validation

• If you observe that excluded IPs from nested groups are not being excluded in policy matches, this is expected behavior.

• To enforce exclusions at all levels, review and update the exclude lists in each group as needed.

Address Group Formats

An address group can include IP addresses, subnets, address groups, or any combination thereof. For IPs and subnets, the following formats are allowed:

• One or more IP addresses: 10.10.10.1 or 10.10.10.2, 10.10.10.2, 10.10.10.3

• IP subnet: 10.10.0.0/16 or 10.10.0.0/255.255.0.0

• IP range: 10.10.10.10-20

• IP range and subnet: 10.10-20.0.0/16, 10.10-20.0.0/255.255.0.0

• IP wildcard: 10.10.10.* (you can use the wildcard in any octet)

• Wildcard and mask: 10.*.0.0/16, 10.*.0.0/255.255.0.0