Referencing Address Objects and Address Groups in Security Policies
IP addresses are most commonly used as a matching condition for security policies. Address objects and address groups are the most widely used objects. When creating an object, you need to add the objects that have the same features and require the same access permissions to one set. For example, if all database servers are deployed in the same security zone and occupy a contiguous IP address segment, you can add the IP address segment to an address object and reference the address object in a security policy.
Address Object
An address object is a set of addresses, including one or more IPv4 addresses, IPv6 addresses, and MAC addresses. An address object can be directly referenced by various service policies or added to one or more address groups.
# Create an address object named Research_Dept and specify the IP address range.
ip address-set Research_Dept type object //object indicates the address object. address 10 range 192.168.1.1 192.168.1.120 //192.168.1.1 and 192.168.1.120 indicate the start and end addresses of an IPv4 address segment respectively.
It is the most common practice to use the start and end addresses to specify the range of an address object. You can also use the wildcard, mask, or mask length to specify an address range.
# Use a wildcard to specify an address range. The wildcard is in dotted decimal notation. In the binary format, digit 0s are matched, but not digit 1s. For example, 192.168.1.1/0.0.0.255 indicates all IP addresses in 192.168.1.* format.
ip address-set Research_Dept type object address 11 192.168.1.1 0.0.0.255 //Use the wildcard to specify an address range.
# Use the mask to specify an address range. The mask is in dotted decimal notation. In the binary format, digit 1s are matched, but not digit 0s. For example, 192.168.1.1/255.255.255.0 indicates all addresses in 192.168.1.* format.
ip address-set Research_Dept type object address 11 192.168.1.1 mask 255.255.255.0 //Use the mask to specify an address range
# Specify the address range by using the mask length.
ip address-set Research_Dept type object address 11 192.168.1.1 mask 24 //Use the mask length to specify an address range.
When you add a MAC address to an address object, the address format can be XXXX-XXXX-XXXX, XX:XX:XX:XX:XX:XX, or XX-XX-XX-XX-XX-XX (X is a 1-digit hexadecimal number).
ip address-set Research_Dept type object address 12 68-05-CA-90-A1-C9
Address Group
An address group is also a set of addresses. Different from an address object, you can add various addresses, address objects, and address groups to another address group. In this way, various address objects and address groups can be managed more conveniently.
The method of adding an address to an address group is the same as that of adding an address to an address object. The following describes how to add an address object and an address group to another address group.
ip address-set R&D_Dept type group //group indicates the address group. address address-set Research_Dept //Add the address object Research_Dept to the address group R&D_Dept. address address-set Test_Dept ip address-set Product type group address address-set R&D_Dept //Add the address group R&D_Dept to the address group Product.
Referencing an Address Group in a Security Policy
The following describes how to use an address group to prohibit R&D_Dept from accessing HR services in the DMZ.
security-policy
rule name "Deny R&D_Dept to HR"
source-zone trust
destination-zone dmz
source-address address-set R&D_Dept //Specify source addresses in address group mode.
service HRService //Enter customized HR service.
action deny
Address Exclusion
security-policy
rule name "Deny R&D_Dept to HR"
source-zone trust
destination-zone dmz
source-address address-set R&D_Dept //Specify the source addresses (192.168.1.1/24) in address set mode.
source-address-exclude 192.168.1.66 32 //Exclude the IP address.
service HRService //Enter customized HR service.
action deny