A policy object is a single object or a
collective unit that groups discrete identities such as IP addresses,
URLs, applications, or users. With policy objects that are a collective
unit, you can reference the object in security policy instead of
manually selecting multiple objects one at a time. Typically, when
creating a policy object, you group objects that require similar
permissions in policy. For example, if your organization uses a
set of server IP addresses for authenticating users, you can group
the set of server IP addresses as an address group policy
object and reference the address group in the security policy. By
grouping objects, you can significantly reduce the administrative
overhead in creating policies.
You can create the following policy objects on the firewall:
Address/Address Group, Region
Allow you to group specific source or destination
addresses that require the same policy enforcement. The address
object can include an IPv4 or IPv6 address (single IP, range, subnet),
an IP wildcard address (IPv4 address/wildcard mask) or the FQDN.
Alternatively, a region can be defined by the latitude and longitude
coordinates or you can select a country and define an IP address
or IP range. You can then group a collection of address objects
to create an address group object.
You can also use dynamic
address groups to dynamically update IP addresses in environments
where host IP addresses change frequently.
External Dynamic Lists (EDLs) on the firewall count toward the maximum
number of address objects that a firewall model supports.
Allow you to create a list of users from
the local database, an external database, or match criteria and
Application Group and Application Filter
An Application Filter allows you to filter
applications dynamically. It allows you to filter, and save a group
of applications using the attributes defined in the application
database on the firewall. For example, you can Create
an Application Filter by one or more attributes—category,
sub-category, technology, risk, characteristics. With an application
filter, when a content update occurs, any new applications that
match your filter criteria are automatically added to your saved
An Application Group allows you to create
a static group of specific applications that you want to group together
for a group of users or for a particular service, or to achieve
a particular policy goal. See Create
an Application Group.
Allows you to specify the source and destination
ports and protocol that a service can use. The firewall includes
two pre-defined services—service-http and service-https— that use
TCP ports 80 and 8080 for HTTP, and TCP port 443 for HTTPS. You
can however, create any custom service on any TCP/UDP port of your
choice to restrict application usage to specific ports on your network
(in other words, you can define the default port for the application).
view the standard ports used by an application, in
for the application and click the link. A succinct description displays.