|
|
|
What can I do here?
Use this window to create a wildcard object that represents a series of IP addresses that are not sequential.
|
Getting Here - Object Explorer > New > Network Object > Wildcard Object |
Wildcard objects let you define IP address objects that share a common pattern that can be permitted or denied access in a security policy.
Note - This feature is only supported for R80.20 and above gateways.
To create a new wildcard object:
The wildcard object contains a wildcard IP address and a wildcard netmask.
The wildcard netmask is the mask of bits that indicate which parts of the IP address must match and which do not have to match. For example:
Wildcard IP: |
194. |
29. |
0. |
1 |
Wildcard Netmask: |
0. |
0. |
3. |
0 |
The third octet represents the mask of bits. If we convert the 3 to binary, we get 00000011. The 0 parts of the mask must match the equivalent bits of the IP address. The 1 parts of the mask do not have to match, and can be any value.
0 |
0 |
0 |
0 |
0 |
0 |
1 |
1 |
Must match the equivalent bits in the IP address |
Do not have to match |
||||||
The binary netmask produces these possible decimal values:
128 |
64 |
32 |
16 |
8 |
4 |
2 |
1 |
|
|
|
|
|
|
|
|
Binary
|
|
Decimal |
|
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
|
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
1 |
|
1 |
0 |
0 |
0 |
0 |
0 |
0 |
1 |
0 |
|
2 |
0 |
0 |
0 |
0 |
0 |
0 |
1 |
1 |
|
3 |
The netmask permits only these IP addresses:
Scenario One
A supermarket chain has all of its cash registers on subnet 194.29.x.1, where x defines the region. In this use case, all the cash registers in this region must have access to the database server at 194.30.1.1.
Instead of defining 256 hosts (194.29.0.1, 194.29.1.1, 194.29.2.1....194.29.255.1), the administrator creates a wildcard object that represents all the cash registers in the region:
Wildcard IP: |
194. |
29. |
0. |
1 |
Wildcard Mask: |
0. |
0. |
255. |
0 |
The wildcard object can now be added to the access control policy.
Source |
Destination |
Action |
Track |
|---|---|---|---|
Wildcard Object |
Database server object |
Accept |
Log |
Scenario Two
In this use case, a supermarket chain has stores in Europe and Asia.
The 192.30.0-255.1 network contains both the Asian and European regions, and the stores within those regions.
Item |
Description |
|---|---|
1 |
Database Server for Europe |
2 |
Database Server for Asia |
3 |
European and Asia network |
The administrator wants stores in the European and Asia regions to access different database servers. In this topology, the third octet of the European and Asia network's IP address will be subject to a wildcard. The first four bits of the wildcard will represent the region and the last four bits will represent the store number.
Bits that represent the region |
Bits that represent the store number |
0000 |
0000 |
In the Wildcard IP:
In binary:
Binary |
Decimal |
|
Region |
Store |
|
0001 |
0000 |
16 - Asia Region |
0010 |
0000 |
32 - European Region |
To include all the stores of a particular region, the last four bits of the wildcard mask must be set to 1 (15 in Decimal):
Binary |
Decimal |
|
Region |
Store |
|
xxxx |
1111 |
15 - all Asian stores |
xxxx |
1111 |
15 - all European stores |
A wildcard object that represents all the Asian stores will look like this:
Wildcard IP address |
192.30.16.1 |
(The region) |
Wildcard netmask |
0.0.15.0 |
(for stores in the region) |
For this range of IP addresses: 192.30.16-31.1
A wildcard object that represents all the European stores will look like this:
Wildcard IP address |
192.30.32.1 |
(the region) |
Wildcard netmask |
0.0.15.0 |
(for stores in the region) |
For this range of IP addresses: 192.30.32-47.1
The administrator can now use these wildcard objects in the access control policy:
Source |
Destination |
Action |
Track |
|---|---|---|---|
Asian Stores Wildcard |
Database Server for Asia |
Accept |
Log |
European Stores Wildcard |
Database Server for Europe |
Accept |
Log |
Scenario Three
In this scenario, the netmask bits are not consecutive.
Wildcard IP |
1 |
1 |
0 |
1 |
Wildcard mask |
0 |
0 |
5 |
0 |
Wildcard IP |
00000001.00000001.00000000.00000001 |
Wildcard Mask |
00000000.00000000.00000101.00000000 |
Mask:
00 |
01 |
02 |
03 |
04 |
05 |
06 |
07 |
08 |
09 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
1 |
0 |
1 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
Which will match only these IP addresses:
IP Address |
Binary |
Comment |
|---|---|---|
1.1.0.1 |
00000001.00000001.00000000.00000001 |
The IP address itself |
1.1.1.1 |
00000001.00000001.00000001.00000001 |
The equivalent bit at position 23 does not matter |
1.1.4.1 |
00000001.00000001.00000100.00000001 |
The equivalent bit at position 21 does not matter |
1.1.5.1 |
00000001.00000001.00000101.00000001 |
The equivalent bits at positions 21 and 23 do not matter |
The same principles apply to IPv6 addresses. For example, if the wildcard object has these values:
IPv6 Address |
2001::1:10:0:1:41 |
Wildcard netmask |
0::ff:0:0 |
The wildcard will match: 2001::1:10:0-255:1:41
