Network Objects and Groups

Starting from R81.10.15, the Users & Objects view > Network Resources section > Network Objects is a unified objects and groups page to create and manage network objects and groups. This replaces the separate Managing Network Objects and Managing Network Object Groups pages used in version R81.10.10 and lower.

On this page you can add, edit, and delete network objects and groups.

Important - You can create a maximum of 1000 objects in total. For example, 500 host objects, 300 network objects, and 200 Domain Name objects.

For each object or group, the columns in the table display the name, type, information (for example, IP address or range of an object) and starting from R81.10.05, where it is used, for example the specific rules in the Access Policy.

Note - Starting in version R81.10.17, the "Where in use" feature is turned off by default. To enable this feature, go to Advanced Settings > WebUI settings and customizations - Enable where in use and change the value to true.

Use the Search field at the upper right corner of the page to search for an object. The table display highlights the group in which the object is found.

For each group, when you hover over one of the objects within the group, you can see specific information about the object such as its type, IP addresses and in which group it is used.

The most common use for network objects is to define a security policy and exceptions to it. These objects can be used as hosts for the internal DNS service and their IP addresses can be configured as fixed for the internal DHCP service.

You can make a new access policy rule in the Access Policy > Firewall > Policy page and use one of the network objects or groups as the source or destination. The Manual Rules table on the Access Policy page displays the objects in the relevant rule. The Where Used column in the Network Objects table shows also displays the access policy rule you just created.

To create a new network object on the Network Objects page:

1. Click New and select Network Object.

2. In the New Network Object window, select Type:

   • Network - Represents a network.

   • Single IP - Represents a device with a single IP address (host object). Select or clear these options as necessary:

     • Allow DNS server to resolve this object name - When the gateway is the DNS server for your internal networks, the name of the server / network object is translated to its IP address.

     • Exclude from DHCP service - The internal DHCP service does not distribute the configured IP address of this server / network object to anyone.

     • Reserve IP address for DHCP service for MAC - The internal DHCP service distributes the configured IP address only to this server / network object based on its MAC address.

     • Enter the MAC address - This is required for IP reservation. When you create the object from the Assets page, the MAC address is detected automatically.

   • IP Range - Represents a range of IP addresses. Enter the Start IP and End IP. Select or clear this option as necessary:

     Exclude from DHCP service - The internal DHCP service does not distribute the configured IP range to anyone.

   • Wildcard - Represents IP addresses that share a common pattern. For example, all IP hosts with the IP address 250 on different networks: 192.168.*.250 / 24

     Note - In the R81.10.X releases, this feature is available starting from the R81.10.08 version Build 996001739.

     1. In the New Network Object Logical object that represents different parts of corporate topology - computers, IP addresses, traffic protocols, and so on. Administrators use these objects in Security Policies. window, enter the Name (mandatory field).

     2. In versions R81.10.15 and lower, enter the Wildcard IP address. This is the wildcard pattern and shows the "*" in a particular position in the IP address. For example, 172.168.*.110

     3. Click Save.

     Limitations:

     • IPv6 addresses are not supported.

     • In the wildcard IPv4 address, the asterisk octet always has the IPv4 subnet mask octet 255.

       Examples:

       • IPv4 address with a wildcard: X.X.*X

       • IPv4 address with a wildcard: X.*.X.X

       In both examples, the IPv4 subnet mask that the Access Policy applies is 255.255.255.255

   • Domain Name - This text string maps to the alphanumeric IP addresses used to access a Domain. For example, the Domain Name for Google is "google.com". The actual website (domain) address is an IP address but DNS allows you to enter a Domain Name to be routed to the exact website.

     Note - The Domain Name object must exactly match the Domain name.

   • Device - Enter the MAC address. Optional: Select Bypass host with this MAC by SSL Inspection.

     If you select to Use custom hardware name, enter the Device type, Hardware, and Operating system

3. Enter the Name and IP address.

4. Depending on the object type, you may need to configure additional fields.

5. Click Save.

Starting from R81.10.15, you can also create a new network object on the Configuring the Remote Access Blade page > Allow or block selected objects section.

To create a new Network Object Group on the Network Objects page:

1. Click New and select Network Object Group.

2. In the New Network Object Group window, enter a Name for the group.

3. Optional: Add a comment.

4. Select existing objects to add to this group or click New to create a new object.

5. Click Save.

To use an object in an Access Policy rule:

1. In WebUI, click the Access Policy view > Firewall section > Policy page.

2. Add a new rule or edit an existing rule.

3. In the Source column or the Destination column, select the object.

4. Configure other columns in this rule.

5. Click Save.