Help Center/ Cloud Firewall/ User Guide/ Access Control/ Managing Object Groups/ Managing IP Address Groups
Updated on 2025-07-23 GMT+08:00
View PDF

Managing IP Address Groups

Scenario

An IP address group contains multiple IP addresses. You can reference an IP address group in an access rule to implement unified traffic control for that group. The updates of the IP address group will be automatically synchronized to all the policies associated with it. This helps you quickly modify policies and avoid repeated configuration, improving O&M efficiency.

Constraints

  • To adding User-defined IP addresses and address groups:
    • A firewall instance can have up to 3,800 IP address groups.
    • An IP address group can contain up to 640 IP addresses. A maximum of 100 IP addresses can be added to an IP address group at a time.
    • A firewall instance can contain up to 30,000 IP addresses.
  • You can only view predefined address groups, but cannot add IP addresses to it, or modify or delete it.
  • The address group referenced by a protection rule cannot be deleted. Modify or delete the rule first.

Adding User-defined Address Groups

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  4. (Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
  5. In the navigation pane, choose Access Control > Object Groups.
  6. On the IP Address Groups tab page, click the User-defined Address Groups sub-tab and click Add IP Address Group. On the displayed Add IP Address Group page, configure parameters.

    Table 1 IP address group parameters

    Parameter

    Description

    IP Address Group Name

    Name of an IP address group.

    It must meet the following requirements:
    • Only uppercase letters (A to Z), lowercase letters (a to z), numbers (0 to 9), and the following special characters are allowed: -_
    • The length cannot exceed 255 characters.

    IP Addresses

    Enter IP addresses and click Parse to add them to the IP address list.

    The input rules are as follows:
    • A single IP address, for example, 192.168.10.5
    • Address segment, for example, 192.168.2.0/24
    • Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
    • Multiple IP addresses. Use commas (,), semicolons (;), line breaks, tab characters, or spaces to separate them. Example: 192.168.1.0,192.168.1.0/24.

    Description

    Usage and application scenario of a rule

    It must meet the following requirements:
    • Only letters (A to Z and a to z), numbers (0 to 9), spaces, and the following characters are allowed: -_
    • The length cannot exceed 255 characters.

  7. Confirm the information and click OK.

Adding an IP Address to a User-defined Address Group

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  4. (Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
  5. In the navigation pane, choose Access Control > Object Groups.
  6. On the IP Address Groups tab page, click the User-defined Address Groups sub-tab. Click an IP address group name.
  7. Click Add IP Address. The Add IP Address slide-out panel is displayed.

    • To add IP addresses in batches, enter the IP addresses in the text box and click Parse.
      The input rules are as follows:
      • A single IP address, for example, 192.168.10.5
      • Address segment, for example, 192.168.2.0/24
      • Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
      • Multiple IP addresses. Use commas (,), semicolons (;), line breaks, tab characters, or spaces to separate them. Example: 192.168.1.0,192.168.1.0/24.
    • To add a single IP address, click Add, and enter the IP address and description.

  8. Confirm the information and click OK.

Viewing a Predefined Address Group

CFW provides you with predefined address groups, including NAT64 Address Set and WAF_Back-to-Source_IP_Addresses. You are advised to configure policies to allow access from both the address groups.

  • NAT64 Address Set: provides the IP addresses that have been converted. If the IPv6 EIP function is enabled, CFW will convert a source IPv6 address to an IP address in this address group. For details about the IPv6 EIP function, see Assigning or Releasing an IPv6 EIP.

    If you have enabled the IPv6 EIP function, you are advised to allow traffic from NAT64 Address Set.

  • WAF_Back-to-Source_IP_Addresses: provides back-to-source IP addresses of WAF in cloud mode. For more information, see What Are Back-to-Source IP Addresses?
    • If these groups are specified in a protection rule and the back-to-source IP address changes, you do not need to manually update the rule. The firewall automatically updates the IP address in the address group every day.
    • If these groups are added to the blacklist or whitelist, and the back-to-source IP address changes, you need to manually update the blacklist or whitelist.
  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  4. (Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
  5. In the navigation pane, choose Access Control > Object Groups.
  6. Click the IP Address Groups tab. Click the Pre-defined Address Groups tab and click the name of an address group.
  7. View the name, type, and IP addresses of the predefined address group.

Deleting User-defined IP Address Groups

Deleted IP address groups cannot be restored. Exercise caution when performing this operation.

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  4. (Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
  5. In the navigation pane, choose Access Control > Object Groups.
  6. Delete a user-defined IP address group.

    • Deleting a user-defined IP address group
      1. On the IP Address Groups tab page, click the User-defined Address Groups sub-tab. In the Operation column of an IP address group name, click Delete.
      2. In the dialog box that is displayed, confirm the information, enter DELETE, and click OK.
    • Deleting user-defined IP address groups
      1. On the IP Address Groups tab page, click the User-defined Address Groups tab, select multiple IP address groups, and click Delete above the list.
      2. In the dialog box that is displayed, confirm the information, enter DELETE, and click OK.

Related Operations

  • Exporting IP address groups: Click Export above the list and select a data range.
  • Batch deleting IP addresses: In the IP Address Group Details slide-out panel, select IP addresses and click Delete above the list. Confirm the information and click OK.
Parent Topic: Managing Object Groups