Login
- Table of Contents
-
- 03-Security Configuration Guide
- 00-Preface
- 01-Security zone configuration
- 02-Security policy configuration
- 03-ASPF configuration
- 04-Session management
- 05-Object group configuration
- 06-IP source guard configuration
- 07-AAA configuration
- 08-802.1X configuration
- 09-User identification configuration
- 10-Password control configuration
- 11-Portal configuration
- 12-MAC authentication configuration
- 13-IPoE configuration
- 14-Public key management
- 15-PKI configuration
- 16-SSH configuration
- 17-SSL configuration
- 18-Connection limit configuration
- 19-Attack detection and prevention configuration
- 20-Server connection detection configuration
- 21-ARP attack protection configuration
- 22-ND attack defense configuration
- 23-uRPF configuration
- 24-IP-MAC binding configuration
- 25-APR configuration
- 26-Keychain configuration
- 27-Crypto engine configuration
- 28-MAC learning through a Layer 3 device configuration
- 29-SMS configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 05-Object group configuration | 73.45 KB |
Contents
Restrictions and guidelines: Object group configuration
Configuring a MAC address object group
Configuring an IPv4 address object group
Configuring an IPv6 address object group
Configuring a service object group
Configuring aging of DNS-resolved IP addresses from host names
Display and maintenance commands for object groups
Configuring object groups
About object groups
An object group is a group of objects that can be used by an ACL to identify packets. Object groups are divided into the following types:
· MAC address object group—A group of MAC address objects used to match the MAC address in a packet.
· IPv4 address object group—A group of IPv4 address objects used to match the IPv4 address in a packet or match the user from whom a packet comes.
· IPv6 address object group—A group of IPv6 address objects used to match the IPv6 address in a packet or match the user from whom a packet comes.
· Service object group—A group of service objects used to match the upper-layer service in a packet.
Restrictions and guidelines: Object group configuration
You cannot edit an object group if the group is used by a global static NAT rule.
Configuring a MAC address object group
1. Enter system view.
system-view
2. Create a MAC address object group and enter its view.
object-group mac-address object-group-name
The system has one default IPv4 address object group named any.
3. (Optional.) Configure a description for the MAC address object group.
description text
By default, an object group does not have a description.
4. Configure a MAC address object.
[ object-id ] mac { mac-address | group-object group-object-name }
5. Configure a description for the MAC address object.
object object-id description text
By default, a MAC address object does not have a description.
Configuring an IPv4 address object group
1. Enter system view.
system-view
2. Create an IPv4 address object group and enter its view.
object-group ip address object-group-name
The system has one default IPv4 address object group named any.
3. (Optional.) Configure a description for the IPv4 address object group.
description text
By default, an object group does not have a description.
4. Configure an IPv4 address object.
[ object-id ] network { host { address ip-address | name host-name [ vpn-instance vpn-instance-name ] } | subnet ip-address { mask-length | mask | wildcard wildcard } | range ip-address1 ip-address2 | group-object object-group-name | user user-name [ domain domain-name ] | user-group user-group-name [ domain domain-name ] }
5. Configure a description for the IPv4 address object.
object object-id description text
By default, an IPv4 address object does not have a description.
6. Exclude an IPv4 address or a subnet from the IPv4 address object.
object-id network exclude { ip-address | subnet ip-address { mask-length | mask } }
By default, no IPv4 address in an IPv4 address object is excluded.
7. (Optional.) Specify a security zone for the IPv4 address object group.
security-zone security-zone-name
By default, no security zone is specified for an IPv4 address object group.
Configuring an IPv6 address object group
1. Enter system view.
system-view
2. Create an IPv6 address object group and enter its view.
object-group ipv6 address object-group-name
The system has one default IPv6 address object group named any.
3. (Optional.) Configure a description for the IPv6 address object group.
description text
By default, an object group does not have a description.
4. Configure an IPv6 address object.
[ object-id ] network { host { address ipv6-address | name host-name [ vpn-instance vpn-instance-name ] } | subnet ipv6-address prefix-length | range ipv6-address1 ipv6-address2 | group-object object-group-name | user user-name [ domain domain-name ] | user-group user-group-name [ domain domain-name ] }
5. Configure a description for an IPv6 address object.
object object-id description text
By default, an IPv6 address object does not have a description.
6. Exclude an IPv6 address or a subnet from the IPv6 address object.
object-id network exclude { ip-address | subnet ipv6-address prefix-length }
By default, no IPv6 address in an IPv6 address object is excluded.
7. (Optional.) Specify a security zone for the IPv6 address object group.
security-zone security-zone-name
By default, no security zone is specified for an IPv6 address object group.
Configuring a service object group
1. Enter system view.
system-view
2. Create a service object group and enter its view.
object-group service object-group-name
The system has multiple default service object groups.
3. (Optional.) Configure a description for the service object group.
description text
By default, an object group does not have a description.
4. Configure a service object.
[ object-id ] service { protocol [ { source { { eq | lt | gt } port | range port1 port2 } | destination { { eq | lt | gt } port | range port1 port2 } } * | icmp-type icmp-code | icmpv6-type icmpv6-code ] | group-object object-group-name }
5. Configure a description for the service object.
object object-id description text
By default, a service object does not have a description.
Renaming an object group
1. Enter system view.
system-view
2. Rename an object group.
object-group rename old-object-group-name new-object-group-name
You can only rename non-default object groups.
Configuring aging of DNS-resolved IP addresses from host names
About this task
In load balancing scenarios where one host name maps to several IP addresses, DNS-resolved IP address for a host name changes between these mapping addresses. Upon every change, the object group module notifies relevant policies (such as security policy) of the change, which causes policies to submit changes frequently and consumes memory. To resolve this issue, you can enable aging of DNS-resolved IP addresses from host names.
With this feature enabled, the system maintains an IP address group for each host name. If a resolved IP address is not in the group, the system adds the address to the group and notifies relevant policies of the change. If a resolved IP address is in the group, the system does not notify relevant policies.
Hardware and feature compatibility
|
F1000 series |
Models |
Feature compatibility |
|
F1000-X-G5 series |
F1000-A-G5, F1000-E-G5, F1000-H-G5, F1000-S-G5 |
Yes |
|
F1000-C-G5, F1000-C-G5-LI |
No |
|
|
F1000-X-G3 series |
F1000-A-G3, F1000-C-G3, F1000-E-G3, F1000-S-G3 |
Yes |
|
F1000-X-G2 series |
F1000-A-G2, F1000-C-G2, F1000-E-G2, F1000-S-G2 |
Yes |
|
F1000-9X0-AI series |
F1000-9390-AI, F1000-9385-AI, F1000-9380-AI, F1000-9370-AI, F1000-990-AI, F1000-980-AI, F1000-970-AI, F1000-960-AI, F1000-950-AI, F1000-930-AI, F1000-920-AI, F1000-910-AI, F1000-905-AI |
Yes |
|
F1000-9360-AI, F1000-9350-AI, F1000-9330-AI, F1000-9320-AI |
No |
|
|
F1000-C83X0 series |
F1000-C8395, F1000-C8390, F1000-C8385, F1000-C8380 |
Yes |
|
F1000-C8370, F1000-C8360, F1000-C8350, F1000-C8330 |
No |
|
|
F1000-C81X0 series |
F1000-C8180, F1000-C8170, F1000-C8160, F1000-C8150, F1000-C8130, F1000-C8120, F1000-C8110 |
Yes |
|
F1000-7X0-HI series |
F1000-770-HI, F1000-720-HI, F1000-710-HI |
Yes |
|
F1000-750-HI, F1000-740-HI, F1000-730-HI |
No |
|
|
F1000-C-X series |
F1000-C-EI, F1000-C-HI, F1000-C-XI |
Yes |
|
F1000-E-XI |
No |
|
|
F1000-V series |
F1000-E-VG, F1000-S-VG |
Yes |
|
SecBlade IV |
LSPM6FWD8, LSQM2FWDSC8 |
No |
|
F100 series |
Models |
Feature compatibility |
|
F100-X-G5 series |
F100-A-G5, F100-C-G5 |
Yes |
|
F100-E-G5, F100-M-G5, F100-S-G5 |
No |
|
|
F100-X-G3 series |
F100-A-G3, F100-C-G3, F100-E-G3, F100-M-G3, F100-S-G3 |
Yes |
|
F100-X-G2 series |
F100-A-G2, F100-C-G2, F100-E-G2, F100-M-G2, F100-S-G2 |
Yes |
|
F100-WiNet series |
F100-A80-WiNet, F100-C80-WiNet, F100-C60-WiNet, F100-C50-WiNet, F100-S80-WiNet |
Yes |
|
F100-A81-WiNet, F100-A91-WiNet |
No |
|
|
F100-C-A series |
F100-C-A6, F100-C-A5, F100-C-A3, F100-C-A2, F100-C-A1, F100-C-A6-WL, F100-C-A5-W, F100-C-A3-W |
Yes |
|
F100-X-XI series |
F100-A-EI, F100-A-HI, F100-A-SI, F100-C-EI, F100-C-HI, F100-C-XI, F100-E-EI, F100-S-HI, F100-S-XI |
Yes |
Restrictions and guidelines
As a best practice, set the aging time to be longer than the TTL of resolution records on the DNS server.
Procedure
1. Enter system view.
system-view
2. Enable aging of DNS-resolved IP addresses from host names.
object-group dns-aging [ time aging-time ]
By default, aging of DNS-resolved IP addresses from host names is disabled.
Display and maintenance commands for object groups
Execute display commands in any view.
|
Task |
Command |
|
Display information about object groups. |
display object-group [ { { ip | ipv6 } address | mac-address | service } [ default ] [ name object-group-name ] | name object-group-name ] |
|
Display IPv4 or IPv6 addresses for host names. |
display object-group { ip | ipv6 } host { object-group-name object-group-name | name host-name [ vpn-instance vpn-instance-name ] } * [ slot slot-number [ cpu cpu-number ] ] |
