Create Address Objects

An address object is a named container for an IP address, subnet, range, FQDN, or geographic region. Use them in firewall policies, NAT rules, VPN configs, route maps, etc. — reference the object by name once, change the underlying IP in one place and every policy updates.

Built-ins: all (matches everything), none (matches nothing), and a list of well-known geographic regions.

Address Object Types

• Subnet — most common. A network (e.g. 10.0.0.0/24) or single host (e.g. 10.0.0.5/32).
• IP Range — 10.0.0.100 to 10.0.0.200.
• FQDN — a hostname (e.g. gmail.com). FortiOS resolves it via DNS and tracks resolved IPs.
• Geography — a country/region (e.g. China, United States).
• Dynamic — populated externally (FSSO, MAC-based, etc.).
• Wildcard FQDN — e.g. *.googleusercontent.com.

Before You Start

• A naming convention. Recommend: <role>-<location> (e.g. Server-Web01, Subnet-Sales-LAN, Range-DHCP-Guests). Sortable, searchable.

Steps

1. Policy & Objects → Addresses → + Create New → Address.
2. Fill in:
   • Name — per your convention.
   • Color — optional UI color tag.
   • Type — Subnet / IP Range / FQDN / Geography / etc.
   • IP/Netmask (Subnet) — e.g. 10.0.0.0/24 or 10.0.0.5/32.
   • IP Range (Range) — start and end IPs.
   • FQDN (FQDN type) — the hostname.
   • Country (Geography) — pick from list.
   • Interface — any (works on any interface) or a specific interface (faster matching, fewer false matches).
   • Static route configuration — Enabled if this address should be reachable via a specific route (rarely needed).
   • Comments — optional notes.
3. Click OK.

Address Groups

For policies that should match many addresses, create a group that contains multiple address objects:

1. Policy & Objects → Addresses → + Create New → Address Group.
2. Name, Color.
3. Members — pick the address objects to include.
4. OK.

Reference the group in policies — adding/removing members updates the policy automatically.

CLI Equivalent

config firewall address
edit "Subnet-Sales-LAN"
    set type ipmask
    set subnet 10.0.10.0 255.255.255.0
    set comment "Sales department LAN"
next
edit "FQDN-Gmail"
    set type fqdn
    set fqdn "gmail.com"
next
end

config firewall addrgrp
edit "Group-Internal-Subnets"
    set member "Subnet-Sales-LAN" "Subnet-Engineering-LAN"
next
end

Verify

In Policy & Objects → Addresses, the new object appears in the list. Reference it in a policy — the object selector should find it by name.

For FQDN objects, check resolution:

diagnose firewall fqdn list
# Shows each FQDN object and its currently resolved IPs.

Common Issues

• FQDN object returns no IPs. DNS resolution failing — see Configure DNS Settings. FortiGate must resolve the FQDN itself.
• FQDN IPs cached stale. TTL respected by default. For very fast-changing FQDNs, lower TTL: set cache-ttl 60.
• Geo object blocks unexpected countries. Geo databases update from FortiGuard — out-of-date subscription = stale geo data.
• Address group too large. No hard cap but very large groups (thousands of members) impact match performance. Break into smaller groups by zone.
• Can't delete an address. Referenced by a policy. Edit policies to remove the reference first.

Related Pages

• Add a Firewall Policy
• Create Service Objects
• Configure DNS Settings