Login
- Table of Contents
-
- 05-Objects
- 01-Health monitoring
- 02-User management
- 03-Authentication
- 04-Portal
- 05-WAF
- 06-IPS
- 07-Anti-virus
- 08-Data filtering
- 09-URL filtering
- 10-File filtering
- 11-APT defense
- 12-APR
- 13-Terminal identification
- 14-Security action
- 15-Advanced settings
- 16-Intelligences from the threat management platform
- 17-Object group
- 18-ACL
- 19-SSL
- 20-Public key management
- 21-PKI
- 22-Trusted access controllers
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 17-Object group | 34.44 KB |
Object group
This help contains the following topics:
Introduction
Object groups
An object group is a group of objects that can be used by other service modules to identify packets. Object groups are divided into the following types:
· IPv4 address object group—A group of IPv4 address objects used to match the IPv4 address in a packet.
· IPv6 address object group—A group of IPv6 address objects used to match the IPv6 address in a packet.
· MAC address object group—A group of MAC address objects used to match the MAC address in a packet.
· Service object group—A group of service objects used to match the protocol type and protocol characteristics (such as TCP/UDP source/destination port and ICMP message type and code) in a packet.
A packet is considered matching an object group if it matches an object in the group.
For simplicity purposes, object groups support object group nesting to allow one object group to use another object group as an object.
Time ranges
You can implement a service based on the time of the day by applying a time range to it. A time-based service takes effect only in time periods specified by the time range. If a time range does not exist, the service based on the time range does not take effect.
The following basic types of time ranges are available:
· Periodic time range—Recurs periodically on a day or days of the week.
· Absolute time range—Represents only a period of time and does not recur.
A time range is uniquely identified by the time range name. You can create a maximum of 1024 time ranges, each with a maximum of 32 periodic statements and 12 absolute statements. The active period of a time range is calculated as follows:
1. Combining all periodic statements.
2. Combining all absolute statements.
3. Taking the intersection of the two statement sets as the active period of the time range.
NAT address groups
A NAT address group contains a group of IP segments or port ranges. It can be used by NAT for dynamic NAT translation.
For the PAT mode, you must specify address group members and a port range. For NAT444 dynamic translation, you must also specify the port block size and configure port block extending.
For the NO-PAT mode, you must specify address group members.
NAT address group probing
NAT address group probing uses an NQA template to detect the reachability of the addresses in the group.
The device periodically sends probe packets to the specified destination address in the NQA template. The source IP addresses in the probe packets are the IP addresses in the NAT address group.
· If the device receives a response packet for a probe, the probed source IP address can be used for address translation.
· If the device does not receive a response packet for a probe, the probed source IP address will be excluded from address translation temporarily. However, in the next NQA operation period, this excluded IP address is also probed. If a response is received in this round, the IP address can be used for address translation.
AFT address group
An AFT address group contains a group of IP segments. It can be used by AFT (NAT64) for dynamic AFT translation.
Support for the AFT address group depends on the device model.
DNS aging
In load-sharing scenarios where a host name corresponds to multiple IP addresses, the IP address converted from a host name might change frequently. By default, the object group module notifies relevant policies (including security policies) every time the converted address changes, which might cause frequent policy acceleration and consume many memory resources.
To resolve this issue, you can enable DNS aging for IP addresses converted from a host name to age out.
With this feature enabled, the object group module maintains an IP address group for each host name. If an address converted from a host name does not exist in the group, the system adds the address to the group and notifies the new IP address range to relevant policies. If a converted address already exists in the group, the system does not notify policies but updates the address aging time instead. After an address ages out, the system notifies the relevant policies of the address deletion. This reduces policy acceleration and memory consumption.
Support for DNS aging depends on the device model.
Restrictions and guidelines
· The system supports a maximum of five object group hierarchy layers. For example, if groups 1, 2, 3, and 4 use groups 2, 3, 4, and 5, respectively, group 5 cannot use another group and group 1 cannot be used by another group.
· Two object groups cannot use each other at the same time.
· You can specify multiple NQA templates for one NAT address group. An IP address in the address group is identified as reachable as long as one probe for this IP address succeeds.
· Make sure the NQA template used for NAT address group probing does not have source IP address configured.
