This help contains the following topics:
An object group is a group of objects that can be used by other service modules to identify packets. Object groups are divided into the following types:
IPv4 address object group—A group of IPv4 address objects used to match the IPv4 address in a packet.
IPv6 address object group—A group of IPv6 address objects used to match the IPv6 address in a packet.
MAC address object group—A group of MAC address objects used to match the MAC address in a packet.
Service object group—A group of service objects used to match the protocol type and protocol characteristics (such as TCP/UDP source/destination port and ICMP message type and code) in a packet.
A packet is considered matching an object group if it matches an object in the group.
For simplicity purposes, object groups support object group nesting to allow one object group to use another object group as an object.
You can implement a service based on the time of the day by applying a time range to it. A time-based service takes effect only in time periods specified by the time range. If a time range does not exist, the service based on the time range does not take effect.
The following basic types of time ranges are available:
Periodic time range—Recurs periodically on a day or days of the week.
Absolute time range—Represents only a period of time and does not recur.
A time range is uniquely identified by the time range name. You can create a maximum of 1024 time ranges, each with a maximum of 32 periodic statements and 12 absolute statements. The active period of a time range is calculated as follows:
Combining all periodic statements.
Combining all absolute statements.
Taking the intersection of the two statement sets as the active period of the time range.
A NAT address group contains a group of IP segments or port ranges. It can be used by NAT for dynamic NAT translation.
For the PAT mode, you must specify address group members and a port range. For NAT444 dynamic translation, you must also specify the port block size and configure port block extending.
For the NO-PAT mode, you must specify address group members.
For more information about the PAT and NO-PAT modes, see "NAT."
NAT address group probing uses an NQA template to detect the reachability of the addresses in the group.
The device periodically sends probe packets to the specified destination address in the NQA template. The source IP addresses in the probe packets are the IP addresses in the NAT address group.
If the device receives a response packet for a probe, the probed source IP address can be used for address translation.
If the device does not receive a response packet for a probe, the probed source IP address will be excluded from address translation temporarily. However, in the next NQA operation period, this excluded IP address is also probed. If a response is received in this round, the IP address can be used for address translation.
An AFT address group contains a group of IP segments. It can be used by AFT for dynamic AFT translation. For more information about AFT, see "AFT."
Support for the AFT address group depends on the device model.
With high availability configured, specify a VRRP group for each AFT address group for the master in the VRRP group to respond to ARP requests with the virtual IP address and MAC address. Support for this feature varies by device model.
Security policies support filtering packets by source and destination locations. Each location defines a mapping between a country, province, or city and a set of IP address ranges. A packet is considered from or to a location if the source or destination IP address of the packet is within the IP range specified for the location.
The following types of locations are available:
Predefined locations—Defined in the geographic location signature file loaded on the device.
User-defined locations—Defined by users manually.
You can add multiple locations to a location group for security policies to process packets by location group. Packets matching a location in a location group are considered matching the location group.
In load-sharing scenarios where a host name corresponds to multiple IP addresses, the IP address converted from a host name might change frequently. By default, the object group module notifies relevant policies (including security policies) every time the converted address changes, which might cause frequent policy acceleration and consume many memory resources.
To resolve this issue, you can enable DNS aging for IP addresses converted from a host name to age out.
With this feature enabled, the object group module maintains an IP address group for each host name. If an address converted from a host name does not exist in the group, the system adds the address to the group and notifies the new IP address range to relevant policies. If a converted address already exists in the group, the system does not notify policies but updates the address aging time instead. After an address ages out, the system notifies the relevant policies of the address deletion. This reduces policy acceleration and memory consumption.
Support for DNS aging depends on the device model.
The system supports a maximum of five object group hierarchy layers. For example, if groups 1, 2, 3, and 4 use groups 2, 3, 4, and 5, respectively, group 5 cannot use another group and group 1 cannot be used by another group.
Two object groups cannot use each other at the same time.
You can specify multiple NQA templates for one NAT address group. An IP address in the address group is identified as reachable as long as one probe for this IP address succeeds.
Make sure the NQA template used for NAT address group probing does not have source IP address configured.
User-defined locations cannot use the same name as a predefined location.
You cannot assign overlapping IPv4 address ranges for different user-defined locations.
If an IPv4 address range specified for a user-defined location overlaps with an address range of a predefined location, the predefined location does not take effect.
Two location groups cannot use each other at the same time. For example, if location group a uses location group b, group b cannot use group a.
The system supports a maximum of three location group hierarchy layers. For example, if location groups 1 and 2 use groups 2 and 3, respectively, group 3 cannot use another group and group 1 cannot be used by another group.
Select Objects > Object Groups > IPv4 Address Object Groups.
Click Create.
Configure the IPv4 address object group.
Table-1 Configuration items for creating an IPv4 address object group
Item | Description |
Name | Object group name, a case-insensitive string of 1 to 63 characters. Make sure the object group name is globally unique. |
Description | Object group description, a case-sensitive string of 1 to 127 characters. |
Security zone | Security zone to which the address object group belongs. |
Click Add in the Objects section to add objects.
Table-2 Configuring items for adding an object
Item | Description |
Object | Object type. Options include:
|
Excluded addresses | Excluded IPv4 addresses in the address object. This field is optional and is only available when the object type is network segment, IP address range, or IP address/wildcard mask. |
Description | Object description, a case-sensitive string of 1 to 127 characters. |
Click Apply. The newly created IPv4 address object group will be displayed on the IPv4 Address Object Groups page.
Select Objects > Object Groups > IPv6 Address Object Groups.
Click Create.
Configure the IPv6 address object group.
Table-3 Configuration items for creating an IPv6 address object group
Item | Description |
Name | Object group name, a case-insensitive string of 1 to 63 characters. Make sure the object group name is globally unique. |
Description | Object group description, a case-sensitive string of 1 to 127 characters. |
Security zone | Security zone to which the address object group belongs. |
Click Add in the Objects section to add objects.
Table-4 Configuring items for adding an object
Item | Description |
Object | Object type. Options include:
|
Excluded addresses | Excluded IPv6 addresses in the address object. This field is optional and is only available when the object type is network segment or IP address range. |
Description | Object description, a case-sensitive string of 1 to 127 characters. |
Click Apply. The newly created IPv6 address object group will be displayed on the IPv6 Address Object Groups page.
Select Objects > Object Groups > MAC Address Object Groups.
Click Create.
Configure the MAC address object group.
Table-5 Configuration items for creating a MAC address object group
Item | Description |
Name | Object group name, a case-insensitive string of 1 to 63 characters. Make sure the object group name is globally unique. |
Description | Object group description, a case-sensitive string of 1 to 127 characters. |
Click Add in the Objects section to add objects.
Table-6 Configuring items for adding an object
Item | Description |
Type | Object type. Options include:
|
Object group | Name of the referenced MAC address object group, a case-insensitive string of 1 to 63 characters. This field is available only when the object type is set to object group. |
MAC address | MAC address in the H-H-H format. This field is available only when the object type is MAC address. |
Description | Object description, a case-sensitive string of 1 to 127 characters. |
Click Apply. The newly created MAC address object group will be displayed on the MAC Address Object Groups page.
Select Objects > Object Groups > Service Object Groups.
Click Create.
Configure the service object group.
Table-7 Configuration items for creating a service object group
Item | Description |
Name | Object group name, a case-insensitive string of 1 to 63 characters. Make sure the object group name is globally unique. |
Description | Object group description, a case-sensitive string of 1 to 127 characters. |
Click Add in the Objects section to add objects.
Table-8 Configuring items for adding an object
Item | Description |
Object | Object type. Options include:
|
Type | Protocol type. Options include:
|
Protocol number | IP protocol number in the range of 0 to 255. This field is available only when the protocol type is IP protocol. |
Message type | ICMP/ICMPv6 message type in the range of 0 to 255. This field is available only when the protocol type is ICMP or ICMPv6. |
Message code | ICMP/ICMPv6 message code in the range of 0 to 255. This field is available only when the protocol type is ICMP or ICMPv6 and the message type is configured. |
Source port | Source port range in the range. Both the start port number and end port number are in the range of 0 to 65535. This field is available only when the protocol type is TCP, UDP, or SCTP. |
Destination port | Destination port range in the range. Both the start port number and end port number are in the range of 0 to 65535. This field is available only when the protocol type is TCP, UDP, or SCTP. |
Description | Object description, a case-sensitive string of 1 to 127 characters. |
Click Apply. The newly created service address object group will be displayed on the Service Address Object Groups page.
Select Objects > Object Groups > Location.
Click Create.
Configure the location.
Table-9 Configuration items for creating a location
Item | Description |
Name | Location name, a case-insensitive string of 1 to 63 characters. Hyphens (-) are not supported. |
Longitude | Location longitude in the range of –180.00 to 180.00, measured in degrees. Eastern longitude is positive, and western longitude is negative. |
Latitude | Location latitude in the range of –90.00 to 90.00, measured in degrees. Northern latitude is positive, and southern latitude is negative. |
Description | Location description, a case-sensitive string of 1 to 127 characters. |
IPv4 address | Location IPv4 address, a single address or an address range. |
Click Apply. The newly created location will be displayed on the Locations page.
Select Objects > Object Groups > Location.
Click the Location Groups tab.
Click Create.
Configure the location group.
Table-10 Configuration items for creating a location group
Item | Description |
Location Group Name | Location group name, a case-insensitive string of 1 to 63 characters. Hyphens (-) are not allowed. |
Description | Location group description, a case-sensitive string of 1 to 127 characters. |
Selected Locations and Location Groups | Location group members. |
Click Apply. The newly created location group will be displayed on the Location Groups page.
Select Objects > Object Groups > NAT Address Groups.
Click Create.
Configure the NAT address group.
Table-11 Configuration items for creating a NAT address group
Item | Description |
Address group ID | Address group ID. |
Address group name | Address group name. |
Description | Address group description. |
VRRP group | With a VRRP group specified, the master device in the VRRP group responds to ARP requests using the virtual IP address and virtual MAC address. Specify a VRRP group for an environment that requires high availability. Support for this field depends on the device model. |
Port range | Make sure all public IP addresses in this NAT address group have their ports for NAT within the specified port range. |
Port block size | Number of ports included in the allocated port block. When the port resources in the allocated port block are exhausted (all ports are in use), if the corresponding private IP address initiates a new connection to the public network, it will not be able to obtain a port from the allocated port block. |
Number of extended port blocks | When the port resources in the allocated port block are exhausted (all ports are in use), you can perform incremental port block allocation for the corresponding private IP address. |
Address probe | This function is used to detect the availability of addresses in the NAT address group, and it is implemented by referencing an NQA template in the address pool. This function only detects the availability of address members used for outbound address translation. |
Address group members | When the system performs address translation for data packets reaching the external network, the source address of the packets will be converted to one of the addresses in the address group. |
Exclude address group members | If certain address members cannot be used for address translation, exclude the IP addresses from address translation. |
Click Apply.
Select Objects > Object Groups > AFT Address Groups.
Click Create.
Configure the AFT address group.
Table-12 Configuration items for creating an AFT address group
Item | Description |
Address group ID | Address group ID. |
VRRP group | With a VRRP group specified, the master device in the VRRP group responds to ARP requests using the virtual IP address and virtual MAC address. Specify a VRRP group for an environment that requires high availability. Support for this field depends on the device model. |
Group members | When the system performs address translation for data packets reaching the external network, the source address of the packets will be converted to one of the addresses in the address group. |
Click Apply.
Select Objects > Object Groups > AFT Address Groups.
Click Create.
Configure the AFT address group.
Table-13 Configuration items for creating an AFT address group
Item | Description |
Address group ID | Address group ID. |
VRRP group | With a VRRP group specified, the master device in the VRRP group responds to ARP requests using the virtual IP address and virtual MAC address. Specify a VRRP group for an environment that requires high availability. Support for this field depends on the device model. |
Group members | When the system performs address translation for data packets reaching the external network, the source address of the packets will be converted to one of the addresses in the address group. |
Click Apply.