Objects > Address Groups
To simplify the creation of security policies, addresses that require the same security settings can be combined into address groups. An address group can be static or dynamic.
- Dynamic Address Groups: A dynamic address group populates its members dynamically using looks ups for tags and tag-based filters. Dynamic address groups are very useful if you have an extensive virtual infrastructure where changes in virtual machine location/IP address are frequent. For example, you have a sophisticated failover setup or provision new virtual machines frequently and would like to apply policy to traffic from or to the new machine without modifying the configuration/rules on the firewall.To use a dynamic address group in policy you must complete the following tasks:
Dynamic address groups can also include statically defined address objects. If you create an address object and apply the same tags that you have assigned to a dynamic address group, that dynamic address group will include all static and dynamic objects that match the tags. You can, therefore use tags to pull together both dynamic and static objects in the same address group.
- Define a dynamic address group and reference it in a policy rule.
- Notify the firewall of the IP addresses and the corresponding tags, so that members of the dynamic address group can be formed. You can do this using external scripts that use the XML API on the firewall or, for a VMware-based environment, you can selectto configure settings on the firewall.DeviceVM Information Sources
- Static Address Groups: A static address group can include address objects that are static, dynamic address groups, or it can be a combination of both address objects and dynamic address groups.To create an address group, clickAddand fill in the following fields:
Address Group Settings
Enter a name that describes the address group (up to
63characters). This name appears in the address list when defining security policies. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Select this option if you want the address group to be available to:
Disable override (
Select this option to prevent administrators from overriding the settings of this address group object in device groups that inherit the object. This selection is cleared by default, which means administrators can override the settings for any device group that inherits the object.
Enter a description for the object (up to 255 characters).
To create a dynamic address group, use the match criteria is assemble the members to be included in the group. Define the
Matchcriteria using the
To view the list of attributes for the match criteria, you must have configured the firewall to access and retrieve the attributes from the source/host. Each virtual machine on the configured information source(s) is registered with the firewall and the firewall can poll the machine to retrieve changes in IP address or configuration without any modifications on the firewall.
For a static address group, click
Addand select one or more
Addto add an object or an address group to the address group. The group can contain address objects, and both static and dynamic address groups.
Members Count and Address
After you add an address group, the Members Count column on the
page indicates whether the objects in the group are populated dynamically or statically.
Recommended For You
Recommended videos not found.