Object Groups

An Object Group is a group of Address groups and Service groups. Address groups are a collection of IP addresses, range of IP addresses and domain names. Service groups are a collection of ports, range of ports, service types, and codes. When you create business policies and firewall rules, you can define the rules for a range of IP addresses or a range of TCP/UDP/ICMPv4/ICMPv6 ports, by including the object groups in the rule definitions.

You can create Address groups to save the range of valid IP addresses and Service groups for the range of port numbers or service type and range of codes. You can simplify the policy management by creating object groups of specific types and reusing them in policies and rules.

Using Object Groups, you can:
  • Manage policies easily.
  • Modularize and reuse the policy components.
  • Update all referenced business and firewall policies easily.
  • Reduce the number of policies.
  • Improve the policy debugging and readability.
Note: You can create, update, or delete object groups if you have Create, Update, and Delete permissions on the NETWORK_SERVICE object. You can only view the object groups if you have Read permission on NETWORK_SERVICE and ENTERPRISE_PROFILE objects.
Important:
  • Maximum allowed number of object groups per Enterprise is 2000.
  • Maximum allowed number of object group associations per Edge and its Profile is 1000.

Configure Objects Groups

This section describes how to configure Object Groups and Service Groups (formerly known as Port Groups).

For more information on Object Groups, see Object Groups,

In the SD-WAN service of the Enterprise portal, to configure Object Groups, select Configure > Object Groups .

The Object Groups screen appears. You can configure Address Group and Service Group from this screen.

Figure 1. Object Groups
Note: Maximum allowed number of object groups per Enterprise is 2000.

Address Groups

To create and configure Address Groups, perform the following steps:
  1. In the Address Groups tab, select Add. The Configure Address Group window appears.
    Figure 2. Configure Address Groups
  2. Enter a Name and Description for the Address Group.
  3. Under IP Address Ranges, select +ADD and enter the range of IPv4 or IPv6 Addresses by selecting the Prefix or Mask options as: CIDR prefix, Subnet mask, or Wildcard Mask, as required.
  4. Under Domains, select +ADD and enter the domain names or FQDNs for the Address Group. The domain names defined in the Address Group can be used as a matching criteria for Business policies or Firewall rules.
    Note: When configuring domains as match criteria for an Address Group, the SD-WAN service first checks for an IP address match. If a match is found, then the service skips domain name matching. However, if no match is found for an IP address, then the service performs a domain name match in the Address Group.
    Important: The matching criteria may match basic wildcard patterns. For example, if you configure a domain in an Address Group as google.com, then mail.google.com and/or http://www.google.com may also match this criteria. However, if you configure http://www.google.com as the domain in an Address Group, then mail.google.com will not match this policy.
  5. Select Save Changes.

Service Groups (Formerly known as Port Groups)

To create and configure Service Groups (formerly known as Port Groups), perform the following steps:
  1. In the Service Groups tab, select Add. The Configure Service Group window appears.
    Figure 3. Configure Service Group
  2. Enter a Name and Description for the Service Group.
  3. Under Service Ranges, select +ADD and add Service ranges with the protocol as TCP or UDP or ICMPv4 and ICMPv6, as required.
    Note: For TCP and UDP, you must enter a single port number or port range from 0 through 65535. For ICMP and ICMPv6, you can optionally enter the Type and Code. The Type and Code value ranges from 0 through 254. The Code can be a single value or range.
  4. select Save Changes.

You can define a business policy or a firewall rule with the Object Group, to include the range of IP addresses and port numbers.

Note: Maximum allowed number of object group associations per Edge and its Profile is 1000. For more information, see:

Select the link to the Address or Service Group to modify the settings. To delete an Address or Service Group, select the checkbox before the group and select Delete.

Note: Object Groups in use cannot be deleted. If you want to delete an Object Group, it must first be removed from business policies or firewall rules.

Configure Business Policies with Object Group

While configuring business policies at Profile and Edge level, you can select the existing object groups to match the source or destination. You can define the rules for a range of IPv4 and IPv6 addresses or port numbers available in the object groups.

At the Profile level, to configure a business policy with Object Group, perform the following steps:
  1. In the SD-WAN service of the Enterprise portal, go to Configure > Profiles . The Profiles page displays the existing Profiles.
  2. Select a Profile to configure a business policy, and select the Business Policy tab.

    From the Profiles page, you can navigate to the Business Policy page directly by selecting the View link in the Biz. Pol column of the Profile.

  3. In the Configure Business Policy section and under Business Policy Rules, select + ADD. The Add Rule dialog box appears.
    Figure 4. Adding Rule for Business Policy
  4. In the Rule Name text box, enter a unique name for the Rule.
  5. In the Match area, configure the match conditions for the rule:
    1. Choose the IP version type for the rule. By default, IPv4 and IPv6 address type is selected. You can configure the Source and Destination IP addresses according to the selected Address Type. Based on the IP version selected, the behavior will be as follows:
      • IPv4 Type Rule matches only the IPv4 addresses available in the selected Address Group.
      • IPv6 Type Rule matches only the IPv6 addresses available in the selected Address Group.
      • Mixed Type Rule matches both the IPv4 and IPv6 addresses in the selected Address Group.
    2. From the Source drop-down menu, select Object Groups.
    3. Select the relevant Address Group and Service Group from the drop-down menu. If the selected address group contains any domain names, they would be ignored when matching for the source.
    4. If needed, you can select the Activate Pre-NAT option. This allows the business policy to match with both, pre-NAT and post-NAT IPv4 addresses, on the LAN side for the Source IP.
      Note: The Pre-NAT option is supported for IPv4 and Mixed mode object groups but not for IPv6 object groups.
      Note: When configuring domains as match criteria for an Address Group, the SD-WAN service first checks for an IP address match. If a match is found, then the service skips domain name matching. However, if no match is found for an IP address, then the service performs a domain name match in the Address Group.
      Important: The matching criteria may match basic wildcard patterns. For example, if you configure a domain in an Address Group as google.com, then mail.google.com and/or http://www.google.com may also match this criteria. However, if you configure http://www.google.com as the domain in an Address Group, then mail.google.com will not match this policy.
    5. If required, you can select the Address Groups, Service Groups, and activate Pre-NAT IP as matching criteria for the destination as well.
    6. Choose business policy actions as required and select Create.

      For more information on the match and action parameters, see Configure Business Policies.

    7. Select Save Changes.

 

The business policy rules that you create for a profile are automatically applied to all the Edges associated with the profile. If required, you can create additional rules specific to the Edges or modify the inherited rule by navigating to Configure > Edges , select an Edge, and select the Business Policy tab.

Figure 5. Configure Business Policy

The Rules From Profile section displays the rules inherited from profile and they are read only. If you want to override any Profile-level rule, then add a new rule. The added rule appears in the Edge Overrides section and it can be manipulated by modifying or deleting, if needed.

Note: By default, the business policy rules are assigned to the global segment. If required, you can choose a segment from the Segment drop-down and create business policy rules specific to the selected segment.

You can modify the object groups with additional IP addresses, port numbers, service types and codes. The changes are automatically included in the business policy rules that use the object groups.

Note: When an object group is associated with a business policy rule, the ICMP type and code based configuration in service groups will not be applied. Though the Orchestrator allows this type of configuration, the Edge ignores ICMP type and code based configuration when matching business policy.

Configure Firewall Rule with Object Group

While configuring firewall rules at Profile and Edge level, you can select the existing object groups to match the source or destination. You can define the rules for a range of IP addresses or a range of TCP/UDP/ICMPv4/ICMPv6 ports, by including the object groups in the rule definitions.

At the Profile level, to configure Firewall Rule with Object Group, perform the following steps:
  1. In the SD-WAN service of the Enterprise portal, go to Configure > Profiles . The Profiles page displays the existing Profiles.
  2. Select a Profile to configure a firewall rule, and select the Firewall tab.

    From the Profiles page, you can navigate to the Firewall page directly by selecting the View link in the Firewallcolumn of the Profile.

    From the Profiles page, you can navigate to the Firewall page directly by selecting the View link in the Firewall column of the Profile.
  3. Go to the Configure Firewall section and under Firewall Rules, select + NEW RULE. The Configure Rule dialog box appears.
    Figure 6. Configure Firewall Rule
  4. In the Rule Name text box, enter a unique name for the Rule. To create a firewall rule from an existing rule, select the rule to be duplicated from the Duplicate Rule drop-down menu.
  5. In the Match area, configure the match conditions for the rule:
    1. Choose the IP address type for the rule. By default, IPv4 and IPv6 address type is selected. You can configure the Source and Destination IP addresses according to the selected Address Type.
    2. From the Source drop-down menu, select Object Groups.
    3. Select the relevant Address Group and Address Group from the drop-down menu. If the selected address group contains any domain names, they would be ignored when matching for the source.

      You can select the Info icon next to the Address Group and Address Group drop-down to view the configuration details of the respective Address Group and Address Group.

      Figure 7. Details of Duplicate Rule
    4. If required, you can select the Address and Service Groups for the destination as well. Based on Address Type selected, the behavior will be as follows:
      • IPv4 Type Rule matches only the IPv4 addresses available in the selected Address Group.
      • IPv6 Type Rule matches only the IPv6 addresses available in the selected Address Group.
      • Mixed Type Rule matches both the IPv4 and IPv6 addresses in the selected Address Group.
    5. Choose Firewall actions as required and select Create.

      For more information on the match and action parameters, see Configure Firewall Rule.

    6. Select Save Changes.

    7. A firewall rule is created for the selected Profile, and it appears under the Firewall Rules area of the Profile Firewall page.

      Note: The rules created at the Profile level cannot be updated at the Edge level. To override the rule, user needs to create the same rule at the Edge level with new parameters to override the Profile level rule.
      In the Firewall Rules area of the Profile Firewall page, you can perform the following actions:
      • DELETE: To delete existing Firewall rules, select the checkboxes prior to the rules and select DELETE.
      • CLONE: To duplicate a Firewall rule, select the rule and select CLONE.
      • COMMENT HISTORY: To view all comments added while creating or updating a rule, select the rule and select COMMENT HISTORY.
      • Search for Rule: Allows to search the rule by Rule name, IP address, Port/Port range, and Address group and Service group names.

The Firewall rules that you create for a profile are automatically applied to all the Edges associated with the profile. If required, you can create additional rules specific to the Edges by navigating to Configure > Edges , select an Edge, and select the Firewall tab.

Figure 8. Configure Firewall Edges

The Rules From Profile section displays the rules inherited from profile and they are read only. If you want to override any Profile-level rule, then add a new rule. The added rule appears in the table above the Rules From Profile section and it can be manipulated by modifying or deleting, if needed.

Note: By default, the firewall rules are assigned to the global segment. If required, you can choose a segment from the Segment drop-down and create firewall rules specific to the selected segment.

You can modify the object groups with additional IP addresses, port numbers, service types and codes. The changes are automatically included in the Firewall rules that use the object groups.

Note: Before modifying the object groups, you can view the configuration details of the Address Group and Service Group from the same UI screen by selecting the Info icon next to the Address Group and Service name. A pop-up appears displaying the configuration details of the respective Address Group and Service Group.