display object-group { ip | ipv6 } host { object-group-name object-group-name | name host-name [ vpn-instance vpn-instance-name ] } * [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

object-group-name object-group-name: Specifies an object group by its name, a case-insensitive string of 1 to 63 characters. If you do not specify this option, the command displays information about the specified host name.

name host-name: Specifies a host by its name, a case-insensitive string of 1 to 60 characters. If you do not specify this option, the command displays information about all the included and excluded host names in the specified object group.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the host belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If the host resides on the public network, do not specify this option.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify this option, this command displays information about host names of all member devices.

Examples

# Display IPv4 addresses for host name www.a.com in object group group1.

[Sysname] display object-group ip host object-group-name group1 name www.a.com

Object group : group1

Object ID : 0

Host name : www.a.com

VPN instance : -

Updated at : 2019-05-20 11:04:24

IP addresses :

169.0.0.10

169.0.0.11

# Display IPv6 addresses for all host names in object group group1.

<Sysname> display object-group ipv6 host object-group-name group1

Object group : group1

Object ID : 0

Host name : www.a.com

VPN instance : -

Updated at : 2019-05-20 11:04:24

IP addresses :

169:0::0:10

169:0::0:11

Object ID : 10

Host name : www.b.com

VPN instance : -

Updated at : 2019-05-20 11:04:24

IP addresses :

169:0::0:11

169:0::0:12

Related commands

object-group

mac

Use mac to configure a MAC address object.

Use undo mac to delete a MAC address object.

Syntax

[ object-id ] mac { mac-address | group-object object-group-name }

undo mac { mac-address | group-object object-group-name }

undo object-id

Default

No MAC address objects exist.

Views

MAC address object group view

Predefined user roles

network-admin

context-admin

Parameters

object-id: Specifies an object ID in the range of 0 to 4294967294. If you do not specify an object ID, the system automatically assigns the object a multiple of 10 next to the greatest ID being used. For example, if the greatest ID is 22, the system automatically assigns 30.

mac-address: Specifies a MAC address in format H-H-H.

group-object object-group-name: Specifies a MAC address object group by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

You can execute this command multiple times to create multiple MAC address objects for a MAC address object group.

This command creates a MAC address object if the specified object ID does not exist. Otherwise, the command overwrites the configuration of the specified object.

When you use the group-object object-group-name option, follow these guidelines:

· The object group to be used must be a MAC address object group.

· If the specified object group does not exist, the system creates a MAC address object group with the name you specified and uses the object group for the object.

· Two object groups cannot use each other at the same time.

· The system supports a maximum of five object group hierarchy layers. For example, if groups 1, 2, 3, and 4 use groups 2, 3, 4, and 5, respectively, group 5 cannot use another group and group 1 cannot be used by another group.

Examples

# Configure a MAC address object with MAC address 0010-dc28-a4e9.

<Sysname> system-view

[Sysname] object-group mac-address groupmac

[Sysname-obj-grp-mac-groupmac] mac 0010-dc28-a4e9

Examples

display object-group

object-group

network (IPv4 address object group view)

Use network to configure an IPv4 address object.

Use undo network to delete an IPv4 address object.

Syntax

[ object-id ] network { host { address ip-address | name host-name [ vpn-instance vpn-instance-name ] } | subnet ip-address { mask-length | mask | wildcard wildcard } | range ip-address1 ip-address2 | group-object object-group-name | user user-name [ domain domain-name ] | user-group user-group-name [ domain domain-name ] }

undo network { host { address ip-address | name host-name [ vpn-instance vpn-instance-name ] } | subnet ip-address { mask-length | mask | wildcard wildcard } | range ip-address1 ip-address2 | group-object object-group-name | user user-name [ domain domain-name ] | user-group user-group-name [ domain domain-name ] }

undo object-id

Default

No IPv4 address objects exist.

Views

IPv4 address object group view

Predefined user roles

network-admin

context-admin

Parameters

host: Configures an IPv4 address object with the host address or name.

address ip-address: Specifies an IPv4 host address.

name host-name: Specifies a host name, a case-insensitive string of 1 to 60 characters. This parameter supports fuzzy matching. You can add an asterisk (*) to the front, end, or both of a string to indicate all host names that include the string. If no asterisks are attached, the system performs exact matching with the specified host name.

subnet ip-address { mask-length | mask | wildcard wildcard }: Configures an IPv4 address object with the subnet address followed by a mask length in the range of 0 to 32 or a mask in dotted decimal notation. The wildcard wildcard option specifies a wildcard mask in dotted decimal notation. A wildcard mask of zeros represents a host address.

range ip-address1 ip-address2: Configures an IPv4 address object with the address range.

group-object object-group-name: Specifies an IPv4 address object group by its name, a case-insensitive string of 1 to 63 characters.

user user-name: Specifies a user by its name, a case-sensitive string of 1 to 55 characters.

user-group user-group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters.

domain domain-name: Specifies the name of a domain to which the user or the user group belongs, a case-insensitive string of 1 to 255 characters. The string cannot contain question marks (?). If you do not specify this option, the command considers that the user or the user group does not belong to any domains.

Usage guidelines

This command fails if you use it to configure or change an IPv4 address object to be identical with an existing object.

This command creates an IPv4 address object if the specified object ID does not exist. Otherwise, the command overwrites the configuration of the specified object.

If you configure a subnet with the mask length of 32 or the mask of 255.255.255.255, the system configures the object with a host address.

When you use the range ip-address1 ip-address2 option, follow these guidelines:

· If ip-address1 is equal to ip-address2, the system configures the object with a host address.

· If ip-address1 is not equal to ip-address2, the system compares the two IPv4 addresses, configures a range starting with the lower IPv4 address, and performs the following operations:

¡ Configures the object with an address range if the two addresses are in different subnets.

¡ Configures the object with a subnet address if the two addresses are in the same subnet.

When you use the group-object object-group-name option, follow these guidelines:

· The object group to be used must be an IPv4 address object group.

· If the specified object group does not exist, the system creates an IPv4 address object group with the name you specified and uses the object group for the object.

· Two object groups cannot use each other at the same time.

Examples

# Configure an IPv4 address object with the host address of 192.168.0.1.

<Sysname> system-view

[Sysname] object-group ip address ipgroup

[Sysname-obj-grp-ip-ipgroup] network host address 192.168.0.1

# Configure an IPv4 address object with exact-matching host name pc3.

<Sysname> system-view

[Sysname] object-group ip address ipgroup

[Sysname-obj-grp-ip-ipgroup] network host name pc3

# Configure an IPv4 address object with fuzzy-matching host name abc.

<Sysname> system-view

[Sysname] object-group ip address ipgroup1

[Sysname-obj-grp-ip-ipgroup1] network host name *abc*

# Configure an IPv4 address object with the IPv4 address of 192.167.0.0 and mask length of 24.

<Sysname> system-view

[Sysname] object-group ip address ipgroup

[Sysname-obj-grp-ip-ipgroup] network subnet 192.167.0.0 24

# Configure an IPv4 address object with the IPv4 address of 192.166.0.0 and mask of 255.255.0.0.

<Sysname> system-view

[Sysname] object-group ip address ipgroup

[Sysname-obj-grp-ip-ipgroup] network subnet 192.166.0.0 255.255.0.0

# Configure an IPv4 address object with the address range of 192.165.0.100 to 192.165.0.200.

<Sysname> system-view

[Sysname] object-group ip address ipgroup

[Sysname-obj-grp-ip-ipgroup] network range 192.165.0.100 192.165.0.200

# Configure an IPv4 address object using object group ipgroup2.

<Sysname> system-view

[Sysname] object-group ip address ipgroup

[Sysname-obj-grp-ip-ipgroup] network group-object ipgroup2

# Configure an IPv4 address object with the IPv4 address of 192.168.0.1 and wildcard mask of 0.0.255.0.

<Sysname> system-view

[Sysname] object-group ip address ipgroup

[Sysname-obj-grp-ip-ipgroup] network subnet 192.168.0.1 wildcard 0.0.255.0

# Configure an IPv4 address object using user user1 in domain domain1.

<Sysname> system-view

[Sysname] object-group ip address ipgroup

[Sysname-obj-grp-ip-ipgroup] network user user1 domain domain1

# Configure an IPv4 address object using user group usergroup1 in domain domain1.

<Sysname> system-view

[Sysname] object-group ip address ipgroup

[Sysname-obj-grp-ip-ipgroup] network user-group usergroup1 domain domain1

network (IPv6 address object group view)

Use network to configure an IPv6 address object.

Use undo network to delete an IPv6 address object.

Syntax

[ object-id ] network { host { address ipv6-address | name host-name [ vpn-instance vpn-instance-name ] } | subnet ipv6-address prefix-length | range ipv6-address ipv6-address2 | group-object object-group-name | user user-name [ domain domain-name ] | user-group user-group-name [ domain domain-name ] }

undo network { host { address ipv6-address | name host-name [ vpn-instance vpn-instance-name ] } | subnet ipv6-address prefix-length | range ipv6-address1 ipv6-address2 | group-object object-group-name | user user-name [ domain domain-name ] | user-group user-group-name [ domain domain-name ] }

undo object-id

Default

No IPv6 address objects exist.

Views

IPv6 address object group view

Predefined user roles

network-admin

context-admin

Parameters

object-id: Specifies an object ID in the range of 0 to 4294967294. If you do not configure an object ID, the system automatically assigns the object a multiple of 10 next to the greatest ID being used. For example, if the greatest ID is 22, the system automatically assigns 30.

host: Configures an IPv6 address object with the host address or name.

address ipv6-address: Specifies an IPv6 host address.

subnet ipv6-address prefix-length: Configures an IPv6 address object with the subnet address followed by the prefix length in the range of 1 to 128.

range ipv6-address1 ipv6-address2: Configures an IPv6 address object.

group-object object-group-name: Specifies an IPv6 address object group by its name, a case-insensitive string of 1 to 63 characters.

user user-name: Specifies a user by its name, a case-sensitive string of 1 to 55 characters.

user-group user-group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

This command fails if you use it to configure or change an IPv6 address object to be identical with an existing object.

This command creates an IPv6 address object if the specified object ID does not exist. Otherwise, the command overwrites the configuration of the specified object.

If you configure a subnet address with the prefix length of 128, the system configures the object with a host address.

When you use the range ipv6-address1 ipv6-address2 option, follow these guidelines:

· If ipv6-address1 is equal to ipv6-address2, the system configures the object with a host address.

· If ipv6-address1 is not equal to ipv6-address2, the system compares the two IPv6 addresses, configures a range starting with the lower IPv6 address, and performs the following operations:

¡ Configures the object with an address range if the two addresses are in different subnets.

¡ Configures the object with a subnet address if the two addresses are in the same subnet.

When you use the group-object object-group-name option, follow these guidelines:

· The object group to be used must be an IPv6 address object group.

· If the specified object group does not exist, the system creates an IPv6 address object group with the name you specified and uses the object group for the object.

· Two object groups cannot use each other at the same time.

Examples

# Configure an IPv6 address object with the host address of 1::1.

<Sysname> system-view

[Sysname] object-group ipv6 address ipv6group

[Sysname-obj-grp-ipv6-ipv6group] network host address 1::1

# Configure an IPv6 address object with exact-matching host name pc3.

<Sysname> system-view

[Sysname] object-group ipv6 address ipv6group

[Sysname-obj-grp-ipv6-ipv6group] network host name pc3

# Configure an IPv6 address object with fuzzy-matching host name abc.

<Sysname> system-view

[Sysname] object-group ipv6 address ipv6group1

[Sysname-obj-grp-ipv6-ipv6group1] network host name *abc*

# Configure an IPv6 address object with the IPv6 address of 1:1:1::1 and prefix length of 24.

<Sysname> system-view

[Sysname] object-group ipv6 address ipv6group

[Sysname-obj-grp-ipv6-ipv6group] network subnet 1:1:1::1 24

# Configure an IPv6 address object with the address range of 1:1:1::1 to 1:1:1::100

<Sysname> system-view

[Sysname] object-group ipv6 address ipv6group

[Sysname-obj-grp-ipv6-ipv6group] network range 1:1:1::1 1:1:1::100

# Configure an IPv6 address object using object group ipv6group2.

<Sysname> system-view

[Sysname] object-group ipv6 address ipv6group

[Sysname-obj-grp-ipv6-ipv6group] network group-object ipv6group2

# Configure an IPv6 address object using user user1 in domain domain1.

<Sysname> system-view

[Sysname] object-group ipv6 address ipv6group

[Sysname-obj-grp-ipv6-ipv6group] network user user1 domain domain1

# Configure an IPv6 address object using user group usergroup1 in domain domain1.

<Sysname> system-view

[Sysname] object-group ipv6 address ipv6group

[Sysname-obj-grp-ipv6-ipv6group] network user-group usergroup1 domain domain1

network exclude (IPv4 address object group view)

Use network exclude to exclude an IPv4 address or a subnet from an address object.

Use undo network exclude to restore the default.

Syntax

object-id network exclude { ip-address | subnet ip-address { mask-length | mask } }

undo object-id network exclude { ip-address | subnet ip-address { mask-length | mask } }

Default

No IPv4 address or subnet in an address object is excluded.

Views

IPv4 address object group view

Predefined user roles

network-admin

context-admin

Parameters

object-id: Specifies an address object by its ID in the range of 1 to 4294967294. The specified address object must have been created.

ip-address: Specifies the IPv4 address to be excluded.

subnet ip-address { mask-length | mask }: Specifies the IPv4 address and mask of a subnet to be excluded. You can specify the mask length or specify the mask in dotted decimal notation. The mask length is in the range of 0 to 32.

Usage guidelines

You can execute this command multiple times to exclude multiple IPv4 addresses or subnets from an address object.

The configuration fails if either of the following conditions exists:

· The specified address is the same as an existing excluded address or is contained in an existing excluded subnet.

· The specified subnet contains an existing excluded address or overlaps with an existing excluded subnet.

Examples

# Configure an IPv4 address object with the IPv4 address of 192.166.0.0 and mask of 255.255.0.0. Exclude IPv4 address 192.166.0.10 and subnet 192.166.1.0/24 from the address object.

<Sysname> system-view

[Sysname] object-group ip address ipgroup

[Sysname-obj-grp-ip-ipgroup] 10 network subnet 192.166.0.0 255.255.0.0

[Sysname-obj-grp-ip-ipgroup] 10 network exclude 192.166.0.10

[Sysname-obj-grp-ip-ipgroup] 10 network exclude subnet 192.166.1.0 255.255.255.0

network exclude (IPv6 address object group view)

Use network exclude to exclude an IPv6 address or a subnet from an address object.

Use undo network exclude to restore the default.

Syntax

object-id network exclude { ipv6-address | subnet ipv6-address prefix-length }

undo object-id network exclude { ipv6-address | subnet ipv6-address prefix-length }

Default

No IPv6 address or subnet in an address object is excluded.

Views

IPv6 address object group view

Predefined user roles

network-admin

context-admin

Parameters

object-id: Specifies an address object by its ID in the range of 1 to 4294967294. The specified address object must have been created.

ip-address: Specifies the IPv6 address to be excluded.

subnet ipv6-address prefix-length: Specifies the IPv6 subnet to be excluded. The prefix length is in the range of 1 to 128.

Usage guidelines

You can execute this command multiple times to exclude multiple IPv6 addresses or subnets from an address object.

The configuration fails if either of the following conditions exists:

· The specified address is the same as an existing excluded address or is contained in an existing excluded subnet.

· The specified subnet contains an existing excluded address or overlaps with an existing excluded subnet.

Examples

# Configure an IPv6 address object with the IPv6 address of 1:1:1::1 and prefix length of 24. Exclude IPv6 address 1:1:1::10 and subnet 1:1:1::2:0 with a prefix length of 112 from the address object.

<Sysname> system-view

[Sysname] object-group ipv6 address ipv6group

[Sysname-obj-grp-ipv6-ipv6group] 10 network subnet 1:1:1::1 24

[Sysname-obj-grp-ipv6-ipv6group] 10 network exclude 1:1:1::10

[Sysname-obj-grp-ipv6-ipv6group] 10 network exclude subnet 1:1:1::2:0 112

object description

Use object description to configure a description for an object.

Use undo object description to restore the default.

Syntax

object object-id description text

undo object object-id description

Default

No description is configured for an object.

Views

Object group view

Predefined user roles

network-admin

context-admin

Parameters

object-id: Specifies an object ID in the range of 0 to 4294967294. The object must already exist.

text: Specifies a description, a case-sensitive string of 1 to 127 characters.

Examples

# Configure the description as This is a description for object 0 for the object 0.

<Sysname> system-view

[Sysname] object-group ip address ipgroup

[Sysname-obj-grp-ip-ipgroup] 0 network host address 1.2.3.4

[Sysname-obj-grp-ip-ipgroup] object 0 description This is a description for object 0

Related commands

· object-group

object-group

Use object-group to create an object group and enter its view, or enter the view of an existing object group.

Use undo object-group to delete an object group.

Syntax

object-group { { ip | ipv6 } address | mac-address | service } object-group-name

undo object-group { { ip | ipv6 } address | mac-address | service } object-group-name

Default

Default object groups exist.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

ip address: Creates an IPv4 address object group.

ipv6 address: Creates an IPv6 address object group.

mac-address: Creates a MAC object group.

service: Creates a service object group.

object-group-name: Specifies an object group name, a case-insensitive string of 1 to 63 characters. The object group name must be globally unique.

Usage guidelines

The object-group command execution results vary with the specified object group.

· If the specified group does not exist, the system creates a new object group and enters the object group view.

· If the specified group exists but the group type is different from that in the command, the command fails.

The undo object-group command execution results vary with the specified object group.

· If the specified group does not exist, the system executes the command without any system prompt.

· If the specified group exists and the group type is the same as that in the command, the system deletes the group.

· If the specified group exists but the group type is different from that in the command, the command fails.

· If the specified object group is being used by an ACL or another object group, the command fails.

Default object groups cannot be deleted.

Examples

# Create an IPv4 address object group named ipgroup.

<Sysname> system-view

[Sysname] object-group ip address ipgroup

# Create an IPv6 address object group named ipv6group.

<Sysname> system-view

[Sysname] object-group ipv6 address ipv6group

# Create a MAC object group named groupmac.

<Sysname> system-view

[Sysname] object-group mac-address groupmac

# Create a service object group named servicegroup.

<Sysname> system-view

[Sysname] object-group service servicegroup

object-group dns-aging

Use object-group dns-aging to enable aging of DNS-resolved IP addresses from host names.

Use undo object-group dns-aging to disable aging of DNS-resolved IP addresses from host names.

Syntax

object-group dns-aging [ time aging-time ]

undo object-group dns-aging

The following compatibility matrixes show the support of hardware platforms for this command:

F1000 series	Models	Command compatibility
F1000-X-G5 series	F1000-A-G5, F1000-E-G5, F1000-H-G5, F1000-S-G5	Yes
F1000-X-G5 series	F1000-C-G5, F1000-C-G5-LI	No
F1000-X-G3 series	F1000-A-G3, F1000-C-G3, F1000-E-G3, F1000-S-G3	Yes
F1000-X-G2 series	F1000-A-G2, F1000-C-G2, F1000-E-G2, F1000-S-G2	Yes
F1000-9X0-AI series	F1000-9390-AI, F1000-9385-AI, F1000-9380-AI, F1000-9370-AI, F1000-990-AI, F1000-980-AI, F1000-970-AI, F1000-960-AI, F1000-950-AI, F1000-930-AI, F1000-920-AI, F1000-910-AI, F1000-905-AI	Yes
F1000-9X0-AI series	F1000-9360-AI, F1000-9350-AI, F1000-9330-AI, F1000-9320-AI	No
F1000-C83X0 series	F1000-C8395, F1000-C8390, F1000-C8385, F1000-C8380	Yes
F1000-C83X0 series	F1000-C8370, F1000-C8360, F1000-C8350, F1000-C8330	No
F1000-C81X0 series	F1000-C8180, F1000-C8170, F1000-C8160, F1000-C8150, F1000-C8130, F1000-C8120, F1000-C8110	Yes
F1000-7X0-HI series	F1000-770-HI, F1000-720-HI, F1000-710-HI	Yes
F1000-7X0-HI series	F1000-750-HI, F1000-740-HI, F1000-730-HI	No
F1000-C-X series	F1000-C-EI, F1000-C-HI, F1000-C-XI	Yes
F1000-C-X series	F1000-E-XI	No
F1000-V series	F1000-E-VG, F1000-S-VG	Yes
SecBlade IV	LSPM6FWD8, LSQM2FWDSC8	No

‌

F100 series	Models	Command compatibility
F100-X-G5 series	F100-A-G5, F100-C-G5	Yes
F100-X-G5 series	F100-E-G5, F100-M-G5, F100-S-G5	No
F100-X-G3 series	F100-A-G3, F100-C-G3, F100-E-G3, F100-M-G3, F100-S-G3	Yes
F100-X-G2 series	F100-A-G2, F100-C-G2, F100-E-G2, F100-M-G2, F100-S-G2	Yes
F100-WiNet series	F100-A80-WiNet, F100-C80-WiNet, F100-C60-WiNet, F100-C50-WiNet, F100-S80-WiNet	Yes
F100-WiNet series	F100-A81-WiNet, F100-A91-WiNet	No
F100-C-A series	F100-C-A6, F100-C-A5, F100-C-A3, F100-C-A2, F100-C-A1, F100-C-A6-WL, F100-C-A5-W, F100-C-A3-W	Yes
F100-X-XI series	F100-A-EI, F100-A-HI, F100-A-SI, F100-C-EI, F100-C-HI, F100-C-XI, F100-E-EI, F100-S-HI, F100-S-XI	Yes

‌

Default

Aging of DNS-resolved IP addresses from host names is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

time aging-time: Specifies the aging time in the range of 1 to 70000000 minutes. The default value is 120.

Usage guidelines

In load balancing scenarios where one host name maps to several IP addresses, DNS-resolved IP address for a host name changes between these mapping addresses. Upon every change, the object group module notifies relevant policies (such as security policy) of the change, which causes policies to submit changes frequently and consumes memory. To resolve this issue, you can enable aging of DNS-resolved IP addresses from host names.

With this feature enabled, the system maintains an IP address group for each host name. If a resolved IP address is not in the group, the system adds the address to the group and notifies relevant policies of the change. If a resolved IP address is in the group, the system does not notify relevant policies.

As a best practice, set the aging time to be longer than the TTL of resolution records on the DNS server.

Examples

# Enable aging of DNS-resolved IP addresses from host names and set the aging time to 5 minutes.

<Sysname> system-view

[Sysname] object-group dns-aging

[Sysname] object-group dns-aging time 5

object-group rename

Use object-group rename to rename an object group.

Syntax

object-group rename old-object-group-name new-object-group-name

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

old-object-group-name: Specifies the name of the object group to be renamed, a case-insensitive string of 1 to 63 characters.

new-object-group-name: Specifies a new name for the object group, a case-insensitive string of 1 to 63 characters. The object group name must be globally unique.

Usage guidelines

You can only rename non-default object groups.

Examples

# Rename object group ipgroup1 to ipgroup2.

<Sysname> system-view

[Sysname] object-group rename ipgroup1 ipgroup2

Related commands

object-group

security-zone

Use security-zone to specify a security zone for an IP address object group.

Use undo security-zone to restore the default.

Syntax

security-zone security-zone-name

undo security-zone

Default

No security zone is specified for an IP address object group.

Views

IPv4 address object group view

IPv6 address object group view

Predefined user roles

network-admin

context-admin

Parameters

security-zone-name: Specifies the security zone name, a case-insensitive string of 1 to 31 characters. The string cannot contain hyphens (-) and cannot be any.

Usage guidelines

This feature enables fast selection of IP address object groups when you specify IP address filtering criteria for a security policy from the Web interface. If a security policy uses an IP address object group specified with a security zone, you can specify only IP address object groups from the same or no security zone for the policy.

You can specify only one security zone for an IP address object group. If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify the security zone for IPv4 address object group 1 as Local.

<Sysname> system-view

[Sysname] object-group ip address 1

[Sysname-obj-grp-ip-1] security-zone Local

Related commands

object-group

service (service object group view)

Use service to configure a service object.

Use undo service to delete a service object.

Syntax

[ object-id ] service { protocol [ { source { { eq | lt | gt } port | range port1 port2 } | destination { { eq | lt | gt } port | range port1 port2 } } * | icmp-type icmp-code | icmpv6-type icmpv6-code ] | group-object object-group-name }

undo service { protocol [ { source { { eq | lt | gt } port | range port1 port2 } | destination { { eq | lt | gt } port | range port1 port2 } } * | icmp-type icmp-code | icmpv6-type icmpv6-code ] | group-object object-group-name }

undo object-id

Default

No service objects exist.

Views

Service object group view

Predefined user roles

network-admin

context-admin

Parameters

object-id: Configures an object ID in the range of 0 to 4294967294. If you do not configure an ID for the object, the system automatically assigns the object a multiple of 10 next to the greatest ID being used. For example, if the greatest ID is 22, the automatically assigned ID is 30.

protocol: Configures the protocol number in the range of 0 to 255, or the protocol name such as TCP, UDP, ICMP, and ICMPv6.

source: Configures a service object with a source port when the protocol is TCP or UDP.

destination: Configures a service object with a destination port when the protocol is TCP or UDP.

eq: Configures a port equal to the specified port.

lt: Configures a port smaller than the specified port.

gt: Configures a port greater than the specified port.

port: Specifies a port number in the range of 0 to 65535.

range port1 port2: Configures a service object with a port range. The value range for the port1 and port2 arguments is 0 to 65535.

icmp-type: Configures the ICMP message type in the range of 0 to 255.

icmp-code: Configures the ICMP message code in the range of 0 to 255.

icmpv6-type: Configures the ICMPv6 message type in the range of 0 to 255.

icmpv6-code: Configures the ICMPv6 message code in the range of 0 to 255.

group-object object-group-name: Specifies a service object group by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

This command fails if you use it to configure or change a service object to be identical with an existing object.

This command creates a service object if the specified object ID does not exist. Otherwise, the command overwrites the configuration of the specified object.

When you use the lt port option, follow these guidelines:

· The value of port cannot be 0.

· If the value of port is 1, the system configures the object with a port number of 0.

· If the value of port is in the range of 2 to 65535, the system configures the object with a port number range of [0, port–1].

When you use the gt port option, follow these guidelines:

· The value of port cannot be 65535.

· If the value of port is 65534, the system configures the object with a port number of 65535.

· If the value of port is in the range of 0 to 65533, the system configures the object with a port number range of [port+1, 65535].

When you use the range port1 port2 option, follow these guidelines:

· If port1 is equal to port2, the system configures the object with the port number port1.

· If port1 is smaller than port2, the system configures the object with the port number range.

· If port1 is greater than port2, the system changes the range to [port2, port1] and configures the object with the changed port number range.

· If port1 is 0, the range is displayed as lt port2+1.

· If port2 is 65535, the range is displayed as gt port1–1.

When use the group-object object-group-name option, follow these guidelines:

· The object group to be used must be a service object group.

· If the specified object group does not exist, the system creates a service object group with the name you specified and uses the object group for the object.

· Two object groups cannot use each other at the same time.

Examples

# Configure a service object with a protocol number of 100.

<Sysname> system-view

[Sysname] object-group service servicegroup

[Sysname-obj-grp-service-servicegroup] service 100

# Configure a service object with the source and destination port numbers for the TCP service.

<Sysname> system-view

[Sysname] object-group service servicegroup

[Sysname-obj-grp-service-servicegroup] service tcp source eq 100 destination range 10 100

# Configure a service object with the message type and code for the ICMP service.

<Sysname> system-view

[Sysname] object-group service servicegroup

[Sysname-obj-grp-service-servicegroup] service icmp 100 150

# Configure a service object using object group servicegroup2.

<Sysname> system-view

[Sysname] object-group service servicegroup

[Sysname-obj-grp-service-servicegroup] service group-object servicegroup2

03-Security Command Reference

Object group commands

description

display object-group

display object-group host

mac

network (IPv4 address object group view)

network (IPv6 address object group view)

network exclude (IPv4 address object group view)

network exclude (IPv6 address object group view)

object description

object-group

object-group dns-aging

object-group rename

security-zone

service (service object group view)

Cloud & AI

InterConnect

Intelligent Computing

Security

SMB Products

Intelligent Terminal Products

Industry Solutions

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Training & Certification

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Online Exhibition Center

Contact Us