Jump to:navigation, search
Wiki

Network objects

From Securepoint Wiki































De.png
En.png
Fr.png






Network Objects of the Packet Filter
Last adaptation to the version: 12.6.0
New:
  • Updated to Redesign of the webinterface
notempty
This article refers to a Resellerpreview

Firewall Network objects








































Network objects

  • Menu under Firewall Network objects
    • Button Description Network objects UTMuser@firewall.name.fqdnFirewall Datei:UTM v12.6 Paketfilter Netzwerkobjekte-en.pngTab Network Objects
    Edit Opens the network group or network object for editing
    Delete Deletes the network group or network object. The deletion must be confirmed once again
  • For GeoIP network objects, after confirmation, deletes all GeoIP network objects with the same prefix
    • Add group Creates a new network group to which network objects can be added immediately
    Show GeoIP objects On
    When disabled Off: Hides GeoIP objects to improve readability.
    Network objects include :
    • a name
    • an address (IP or network), a hostname or an interface
    • and a zone.

    Network objects are mainly used to create packet filter rules, but they are also used in the HTTP proxy.
    The members of a network group are displayed as labels. Clicking on a label displays the details in the table Network objects.


    Edit / Add Network Groups

    Edit / Add Network Groups

    Menu under Firewall Network Objects  Button + Add Group

    Caption Value Description Edit / Add Network Groups UTMuser@firewall.name.fqdnFirewallNetwork objects UTM v12.6 Paketfilter Netzwerkgruppe bearbeiten-en.pngEdit / create network group dialog
    Name: Geo-DACH Freely selectable name for the network group
    Network objects: ×Map-marked-alt.svg GEOIP: AT (Austria) ×Map-marked-alt.svg GEOIP: CH (Switzerland) ×Map-marked-alt.svg GEOIP: DE (Germany) Existing network objects can be added in the click box
    Opens the dialog for adding another network object
    Removes a network object from the network group

    Create / Add network objects

    Edit / Add Network Objects
    Caption Value Description Add network objects UTMuser@firewall.name.fqdnFirewallNetwork objects UTM v12.6 Paketfilter Netzwerkobjekt hinzufuegen-en.pngCreate / Add network objects
    Name: Host-Objekt Freely selectable name for the network object.
    OK - not really free: Even if it should be technically possible, refrain from using cryptic special characters such as curly brackets, backslashes and similar. At the latest in an AD environment, such things may lead to problems.
      
    Type: The type determines how the affiliation to this network object is determined.
    Host A single host with an IP address e.g. 192.0.2.192/32 → 192.0.2.192/--- 
    Network (address) A complete network, e.g. 192.0.2.0/24
    A 24 network is entered as default. However, this can be changed as desired.
    Network (address with custom mask) Network with any subnet mask. This is useful when the prefix may change. (Example: 192.0.2.0/0.255.255.0 oder 2001:DB8::1234/::FFFF:FFFF)
    Network (interface) A complete network behind an interface e.g. eth0
  • Attention: With HideNat, only the first IP lying on this interface is used.
    When using with HideNat, try to use a network address.
      
    • VPN-Host A single VPN host with an IP address, e.g. 192.0.2.192/32 → 192.0.2.192/--- 
  • Only zones that have a flag Policy_IPSEC or PPP_VPN in the zone management (→ Network →Zone Settings Button w) can be selected as zones for these network objects.
    • VPN network A complete VPN network, e.g. 192.0.2.0/24
    A 24 network is entered as default. However, this can be changed as desired.
    Static interface A configured IP address of an interface can be selected from a drop-down menu, e.g. 192.0.2.1/24
    Dynamic interface A dynamic assignment of the address of the interface based on the assigned zone. E.G.: 0.0.0.0/. oder eth0
    Hostname A host name, e.g.: my.host.local
    GeoIP
      
  • Address: 192.0.2.192 Depending on the type selected. See above.
    Interface:
    For type only Network (interface) orDynamic interface    		 LAN1 All hosts behind this interface belong to this network object
    IP address:
    For type only Static interface    		 192.168.175.1 All hosts behind the interface with this IP address belong to this network object
    Hostname:
    For type only Hostname    		 my.host.local Hostname of the network object
    Prefix:
    For type only GeoIP    		 ext2_ Prefix placed in front of the network objects (for better identification)
    Example_ Prefix ext2_  → Network object Map-marked-alt.svg ext2_GEOIP:DE
    Zone: Zone Zone in which the network object is located.
    By linking an object in the set of rules with the interface via the zone, it is achieved that a packet filter rule only takes effect if not only the source, destination and service match the rule, but the connection is also made via the correct interfaces. This prevents all attacks that involve IP spoofing. The assignment of an object to an interface is done by binding the zone to the interface on the one hand and the assignment of the network object to a zone on the other.
      
  • Depending on the selected network type, a zone is already suggested or a restriction of the zone selection is made.
    • Groups: »internal-networks Network objects can be grouped together to assign packet filter rules to multiple objects.
    notempty
    Network objects can also belong to several groups.
    This can lead to contradictory rules for the same network object that are not immediately obvious.
    As with all rules, the rule that is executed first is the one whose network group contains the network object.
    Save Saves the network object, but leaves the dialogue open to be able to create further objects.
    Save and close Saves the network object and closes the dialogue
    Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/RULE/Netzwerkobjekte&oldid=90273"