Managing IP Address Groups
Scenario
An IP address group contains multiple IP addresses. You can reference an IP address group in an access rule to implement unified traffic control for that group. The updates of the IP address group will be automatically synchronized to all the policies associated with it. This helps you quickly modify policies and avoid repeated configuration, improving O&M efficiency.
Constraints
- To adding User-defined IP addresses and address groups:
- A firewall instance can have up to 3,800 IP address groups.
- An IP address group can contain up to 640 IP addresses. A maximum of 100 IP addresses can be added to an IP address group at a time.
- A firewall instance can contain up to 30,000 IP addresses.
- You can only view predefined address groups, but cannot add IP addresses to it, or modify or delete it.
- The address group referenced by a protection rule cannot be deleted. Modify or delete the rule first.
Adding User-defined Address Groups
- Log in to the management console.
- Click
in the upper left corner of the management console. Select a region.
- In the navigation pane on the left, click
and choose . The Dashboard page will be displayed.
- (Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
- In the navigation pane, choose .
- Click Add IP Address Group on the IP Address Groups tab page. In the displayed Add IP Address Group dialog box, configure parameters, as shown in Table 1.
Table 1 IP address group parameters Parameter
Description
IP Address Group Name
Name of an IP address group.
It must meet the following requirements:- Only uppercase letters (A to Z), lowercase letters (a to z), numbers (0 to 9), and the following special characters are allowed: -_
- The length cannot exceed 255 characters.
Description
Usage and application scenario of a rule
It must meet the following requirements:- Only letters (A to Z and a to z), numbers (0 to 9), spaces, and the following characters are allowed: -_
- The length cannot exceed 255 characters.
IP Addresses
Enter IP addresses and click Parse to add them to the IP address list.
The input rules are as follows:- A single IP address, for example, 192.168.10.5
- Address segment, for example, 192.168.2.0/24
- Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
- Multiple IP addresses. Use commas (,), semicolons (;), line breaks, tab characters, or spaces to separate them. Example: 192.168.1.0,192.168.1.0/24.
- Confirm the information and click OK. The IP address group is added.
After adding an IP address group for the first time, you need to add IP addresses to it. For details, see Adding an IP Address to a User-defined Address Group.
Adding an IP Address to a User-defined Address Group
- Log in to the management console.
- Click
in the upper left corner of the management console. Select a region.
- In the navigation pane on the left, click
and choose . The Dashboard page will be displayed.
- (Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
- In the navigation pane, choose .
- Click the name of an IP address group on the IP Address Groups tab. The IP Address Group Details dialog box is displayed.
- Click Add IP Address. The Add IP Address slide-out panel is displayed.
- To add IP addresses in batches, enter the IP addresses in the text box and click Parse.
The input can be:
- A single IP address, for example, 192.168.10.5
- Address segment, for example, 192.168.2.0/24
- Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
- Multiple IP addresses. Separate them using commas (,), semicolons (;), tab characters, or spaces, or put each value on a separate line.
- To add a single IP address, click Add, and enter the IP address and description.
- To add IP addresses in batches, enter the IP addresses in the text box and click Parse.
- Confirm the information and click OK.
Viewing a Predefined Address Group
CFW provides you with predefined address groups, including NAT64 Address Set and WAF_Back-to-Source_IP_Addresses. You are advised to configure policies to allow access from both the address groups.
- NAT64 Address Set: provides the IP addresses that have been converted. If the IPv6 EIP function is enabled, CFW will convert a source IPv6 address to an IP address in this address group. For details about the IPv6 EIP function, see Assigning or Releasing an IPv6 EIP.
If you have enabled the IPv6 EIP function, you are advised to allow traffic from NAT64 Address Set.
- WAF_Back-to-Source_IP_Addresses: provides back-to-source IP addresses of WAF in cloud mode. For more information, see What Are Back-to-Source IP Addresses?
- If these groups are specified in a protection rule and the back-to-source IP address changes, you do not need to manually update the rule. The firewall automatically updates the IP address in the address group every day.
- If these groups are added to the blacklist or whitelist, and the back-to-source IP address changes, you need to manually update the blacklist or whitelist.
- Log in to the management console.
- Click
in the upper left corner of the management console. Select a region.
- In the navigation pane on the left, click
and choose . The Dashboard page will be displayed.
- (Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
- In the navigation pane, choose .
- Click the IP Address Groups tab. Click the Pre-defined Address Groups tab and click the name of an address group. On the details page that is displayed, view the address group information.
Deleting User-defined IP Address Groups

Deleted IP address groups cannot be restored. Exercise caution when performing this operation.
- Log in to the management console.
- Click
in the upper left corner of the management console. Select a region.
- In the navigation pane on the left, click
and choose . The Dashboard page will be displayed.
- (Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
- In the navigation pane, choose .
- Click the IP Address Groups tab. In the Operation column of an IP address group, click Delete.
- In the displayed dialog box, confirm the information, enter DELETE, and click OK.
Related Operations
- Exporting IP address groups: Click Export above the list and select a data range.
- Batch deleting IP addresses: In the IP Address Group Details slide-out panel, select IP addresses and click Delete above the list.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot