Before you can configure policies to permit, deny, or tunnel traffic to and from individual hosts and subnets, you must create entries for the host or subnet addresses.
ScreenOS classifies the addresses of all other devices by location and netmask. Each zone possesses its own list of addresses and address groups.
An IPv4 or IPv6 individual host has only one IP address and appears as a single computer icon in the Address List.
IPv4 hosts must have a netmask setting of 255.255.255.255 (invalidates all hosts except this particular one).
IPv6 hosts must have a prefix length of /128.
IPv4 or IPv6 subnets have an IP address and appear as multiple computer icons in the IP Address List.
An IPv4 netmask contains 255 for exact MATCH portions of the address and zeros (0) to indicate that ANY in that portion of the address is valid. For example, in the netmask 255.255.0.0, the first two tuples must match and the last two tuples can be any valid IPv4 address portion (0-256).
An IPv6 subnet contains a prefix length from 0 to 127. Typical prefix lengths are /32 and /64.
Enter the necessary information:
Address Name: Enter a name that helps you easily identify the address. The name must be unique and no longer than 20 characters. The name must be descriptive as it appears in several drop-down lists, for example, on the Policy Configuration page.
Comment: Enter any additional information (limit 30 characters).
IP Address/Domain Name: You have the option to use a 4-octet numeric address (with a netmask) or a domain name expressed as a Web URL (Uniform Resource Locator).
IPv4/Netmask or IPv6/Prefix: Select this option and enter either an IPv4address and netmask or IPv6 address and prefix length.
IPv4: A netmask address combined with the IP address, can specify a range of addresses. For example, for the IP address 201.2.3.4, a netmask address of 255.255.255.0 specifies a range of addresses from 201.2.3.0 to 201.2.3.255. Alternatively, for an IP address 201.2.3.4, a netmask address of 255.255.255.255 specifies only 201.2.3.4.
IPv6: A prefix length of /128 indicates a single IPv6 host. A prefix length of /0 to /127 indicates multiple hosts.
or
Domain Name: Select this option and enter a domain name.
Note: Before you can use domain names for address book entries, you must configure the NetScreen device for DNS services. For information on DNS configuration, see DNS Configuration.
Zone: Select the zone in which the IP address belongs.
Note: After you define an address—or an address group—and associate it with a policy, you cannot change the address location to another zone (such as from Trust to Untrust). To change its location, you must first disassociate it from the policy.
Click OK to save the configuration.
Enter the necessary information:
Address Name: Enter a name that helps you easily identify the address. The name must be unique and no longer than 20 characters. The name must be descriptive as it appears in several drop-down lists, for example, on the Policy Configuration page.
Comment: Enter any additional information (limit 30 characters).
IP Address/Domain Name: You have the option to use a 4-octet numeric address (with a netmask) or a domain name expressed as a Web URL (Uniform Resource Locator).
IPv4/Netmask or IPv6/Prefix: Select this option and enter either an IPv4address and netmask or IPv6 address and prefix length.
IPv4: A netmask address combined with the IP address, can specify a range of addresses. For example, for the IP address 201.2.3.4, a netmask address of 255.255.255.0 specifies a range of addresses from 201.2.3.0 to 201.2.3.255. Alternatively, for an IP address 201.2.3.4, a netmask address of 255.255.255.255 specifies only 201.2.3.4.
IPv6: A prefix length of /128 indicates a single IPv6 host. A prefix length from /0 to /127 indicates multiple hosts.
or
Domain Name: Select this option and enter a domain name.
Note: Before you can use domain names for address book entries, you must configure the NetScreen device for DNS services. For information on DNS configuration, see DNS Configuration.
Zone: Select the zone in which the IP address belongs.
Note: After you define an address—or an address group—and associate it with a policy, you cannot change the address location to another zone (such as from Trust to Untrust). To change its location, you must first disassociate it from the policy.
Click OK to save the configuration.