Wildcard Objects

Wildcard objects let you define IP address objects that share a common pattern that can be permitted or denied access in a security policyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection..

Note - This feature is only supported for R80.20 and above gateways.

To create a new wildcard object

  1. Open Object Explorer > New > More > Network Object > Wildcard object.

  2. Enter the Wildcard IP address and Wildcard Netmask in IPv4 or IPv6 Format.

  3. Click OK.

Understanding Wildcard Objects

The wildcard object contains a wildcard IP address and a wildcard netmask.

The wildcard netmask is the mask of bits that indicate which parts of the IP address must match and which do not have to match. For example:

Wildcard IP:

194.

29.

0.

1

Wildcard Netmask:

0.

0.

3.

0

The third octet represents the mask of bits. If we convert the 3 to binary, we get 00000011.

The 0 parts of the mask must match the equivalent bits of the IP address.

The 1 parts of the mask do not have to match, and can be any value.

0

0

0

0

0

0

1

1

Must match the equivalent bits in the IP address

Do not have to match

The binary netmask produces these possible decimal values:

128

64

32

16

8

4

2

1

 

 

 

 

 

 

 

 

Binary

 

Decimal

0

0

0

0

0

0

0

0

 

0

0

0

0

0

0

0

0

1

 

1

0

0

0

0

0

0

1

0

 

2

0

0

0

0

0

0

1

1

 

3

The netmask permits only these IP addresses:

  • 194.29.0.1

  • 194.29.1.1

  • 192.29.2.1

  • 194.29.3.1

Scenario One

A supermarket chain has all of its cash registers on subnet 194.29.x.1, where x defines the region. In this use case, all the cash registers in this region must have access to the database server at 194.30.1.1.

Instead of defining 256 hosts (194.29.0.1, 194.29.1.1, 194.29.2.1....194.29.255.1), the administrator creates a wildcard object that represents all the cash registers in the region:

Wildcard IP:

194.

29.

0.

1

Wildcard Mask:

0.

0.

255.

0

The wildcard object can now be added to the Access Control Policy.

Source

Destination

Action

Track

Wildcard Object

Database server object

Accept

Log

Scenario Two

In this use case, a supermarket chain has stores in Europe and Asia.

The 192.30.0-255.1 network contains both the Asian and European regions, and the stores within those regions.

Item

Description

1

Database Server for Europe

2

Database Server for Asia

3

European and Asia network

The administrator wants stores in the European and Asia regions to access different database servers. In this topology, the third octet of the European and Asia network's IP address will be subject to a wildcard. The first four bits of the wildcard will represent the region and the last four bits will represent the store number.

Bits that represent the region

Bits that represent the store number

0000

0000

In the Wildcard IP:

  • The Asia region is represented by 0001xxxx (Region 1 in decimal)

  • The European region is represented by 0010xxxx (Region 2 in decimal)

In binary:

Binary

 

Decimal

Region

Store

 

0001

0000

16 - Asia Region

0010

0000

32 - European Region

To include all the stores of a particular region, the last four bits of the wildcard mask must be set to 1 (15 in Decimal):

Binary

 

Decimal

Region

Store

 

xxxx

1111

15 - all Asian stores

xxxx

1111

15 - all European stores

A wildcard object that represents all the Asian stores will look like this:

Wildcard IP address

192.30.16.1

(The region)

Wildcard netmask

0.0.15.0

(for stores in the region)

For this range of IP addresses: 192.30.16-31.1

A wildcard object that represents all the European stores will look like this:

Wildcard IP address

192.30.32.1

(the region)

Wildcard netmask

0.0.15.0

(for stores in the region)

For this range of IP addresses: 192.30.32-47.1

The administrator can now use these wildcard objects in the Access Control Policy:

Source

Destination

Action

Track

Asian Stores Wildcard

Database Server for Asia

Accept

Log

European Stores Wildcard

Database Server for Europe

Accept

Log

Scenario Three

In this scenario, the netmask bits are not consecutive.

Wildcard IP

1

1

0

1

Wildcard mask

0

0

5

0

Wildcard IP

00000001.00000001.00000000.00000001

Wildcard Mask

00000000.00000000.00000101.00000000

Mask:

00

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

1

0

0

0

0

0

0

0

0

Which will match only these IP addresses:

IP Address

Binary

Comment

1.1.0.1

00000001.00000001.00000000.00000001

The IP address itself

1.1.1.1

00000001.00000001.00000001.00000001

The equivalent bit at position 23 does not matter

1.1.4.1

00000001.00000001.00000100.00000001

The equivalent bit at position 21 does not matter

1.1.5.1

00000001.00000001.00000101.00000001

The equivalent bits at positions 21 and 23 do not matter

IPv6

The same principles apply to IPv6 addresses. For example, if the wildcard object has these values:

IPv6 Address

2001::1:10:0:1:41

Wildcard netmask

0::ff:0:0

The wildcard will match: 2001::1:10:0-255:1:41