Network objects

Network Objects of the Packet Filter

Last adaptation to the version: 14.0.1 (01.2025)

New:

Status display whether an object is cloud-managed

notempty

This article refers to a Beta version

12.6 12.4

Network objects

Menu under Firewall Network objects
button	Description	Network objects UTMuser@firewall.name.fqdnFirewall Tab Network Objects
Edit	Opens the network group or network object for editing
Delete	Deletes the network group or network object. The deletion must be confirmed once again For GeoIP network objects, after confirmation, deletes all GeoIP network objects with the same prefix
Add group	Creates a new network group to which network objects can be added immediately
	Show GeoIP objects On When disabled Off: Hides GeoIP objects to improve readability.
Network objects contain : a name an address (IP or network), a hostname or an interface and a zone. Network objects are mainly needed to create packet filter rules, but they are also used in the HTTP proxy. The members of a network group are displayed as labels. Click on a label to display the details in the ‘'Network objects’' table. notempty v14.0 If there are network objects that were created via the USC, the Cloud-managed column shows whether these are such objects or locally created objects . Cloud-managed objects must be edited in the Cloud under Unified Network Consoleconfig .

Edit / Add Network Groups Edit / Add Network Groups Menu under Firewall Network Objects button + Add Group
Caption	Value	Description	Edit / Add Network Groups UTMuser@firewall.name.fqdnFirewallNetwork objects Edit / create network group dialog
Name:	Geo-DACH	Freely selectable name for the network group
Network objects:	GEOIP: AT (Austria) GEOIP: CH (Switzerland) GEOIP: DE (Germany)	Existing network objects can be added in the click box
	Opens the dialog for adding another network object
✕	Removes a network object from the network group

Create / Add network objects Edit / Add Network Objects
Caption	Value	Description	Add network objects UTMuser@firewall.name.fqdnFirewallNetwork objects Create / Add network objects
Name:	Host-Objekt	Freely selectable name for the network object. OK - not really free: Even if it should be technically possible, refrain from using cryptic special characters such as curly brackets, backslashes and similar. At the latest in an AD environment, such things may lead to problems.
Type:	The type determines how the affiliation to this network object is determined.
	Host	A single host with an IP address e.g. 192.0.2.192/32 → 192.0.2.192/---
	Network (address)	A complete network, e.g. 192.0.2.0/24 A 24 network is entered as default. However, this can be changed as desired.
	Network (address with custom mask)	Network with any subnet mask. This is useful when the prefix may change. (Example: 192.0.2.0/0.255.255.0 oder 2001:DB8::1234/::FFFF:FFFF)
	Network (interface)	A complete network behind an interface e.g. eth0 Attention: With HideNat, only the first IP lying on this interface is used. When using with HideNat, try to use a network address.
	VPN-Host	A single VPN host with an IP address, e.g. 192.0.2.192/32 → 192.0.2.192/--- Only zones that have a flag Policy_IPSEC or PPP_VPN in the zone management ( Network Zone Settings button w) can be selected as zones for these network objects.
	VPN network	A complete VPN network, e.g. 192.0.2.0/24 A 24 network is entered as default. However, this can be changed as desired.
	Static interface	A configured IP address of an interface can be selected from a drop-down menu, e.g. 192.0.2.1/24
	Dynamic interface	A dynamic assignment of the address of the interface based on the assigned zone. E.G.: 0.0.0.0/. oder eth0
	Hostname	A host name, e.g.: my.host.local
	GeoIP	Creates a network object in the specified zone for each country. IP addresses are assigned to a country via organizations and institutions to which the associated IP networks are assigned. The actual location of a host may differ from the assignment or may not be visible, e.g. due to a VPN tunnel! Adding a network object of type GeoIP creates approx. 250 new network objects!
Address:	192.0.2.192	Depending on the type selected. See above.
Interface: For type only Network (interface) orDynamic interface	LAN1	All hosts behind this interface belong to this network object
IP address: For type only Static interface	192.168.175.1	All hosts behind the interface with this IP address belong to this network object
Hostname: For type only Hostname	my.host.local	Hostname of the network object
Prefix: For type only GeoIP	ext2_	Prefix placed in front of the network objects (for better identification) Example_ Prefix ext2_ → Network object ext2_GEOIP:DE
Zone:	Zone	Zone in which the network object is located. By linking an object in the set of rules with the interface via the zone, it is achieved that a packet filter rule only takes effect if not only the source, destination and service match the rule, but the connection is also made via the correct interfaces. This prevents all attacks that involve IP spoofing. The assignment of an object to an interface is done by binding the zone to the interface on the one hand and the assignment of the network object to a zone on the other. Depending on the selected network type, a zone is already suggested or a restriction of the zone selection is made.
Groups:	»internal-networks	Network objects can be grouped together to assign packet filter rules to multiple objects. notempty Network objects can also belong to several groups. This can lead to contradictory rules for the same network object that are not immediately obvious. As with all rules, the rule that is executed first is the one whose network group contains the network object.
Save		Saves the network object, but leaves the dialogue open to be able to create further objects.
Save and close		Saves the network object and closes the dialogue

Network objects

Edit / Add Network Groups

Create / Add network objects