Understanding Predefined Objects for vGW Series Firewall Policy Terms

This topic focuses primarily on the vGW Series predefined objects that you can use for source and destination terms in firewall policy rules. It summarizes the various ways in which you can specify addresses for these terms.

Defining and Selecting Source and Destination Terms for Policy Rules

To create firewall policies, you specify rules. You add inbound and outbound rules to a policy to specify the source and destination of traffic. You select a value for the source or the destination of a term from the list of existing objects that is displayed when you right-click the rule numbers column in the Inbound (Sources) and Outbound (Destinations) parts of a policy.

vGW Series provides the following ways in which you can define the addresses for a rule’s source or destination terms:

Predefined Global IP Address Objects

vGW Series Release 5.5 introduces support for IPv6, including configuration of policies on IPv6 traffic. vGW Series provides the following predefined objects that allow you to refer to IP addresses collectively by type–whether IPv4 addresses or IPv6 addresses–in a policy rule’s source and destination terms:

Any

Matches any IPv4 and IPv6 address.

Any-IPv4

Matches any IPv4 address.

Any-IPv6

Matches any IPv6 address.

In releases earlier than version 5.5–releases before vGW Series supported IPv6– the term Any referred to any IPv4 address. For environments in which not all vGW Series components are at version 5.5 or later, the term Any also refers to any IPv4 address. It reverts back to the meaning it had in environments that support only IPv4 traffic. For more information about how Any is interpreted in mixed vGW Series components environments, see IPv6 Support in Homogeneous and Heterogeneous vGW Series Environments.

Warning: All vGW Series components must be at version 5.5 or later for you to be able to create policies on IPv6 traffic.

Predefined Network Objects

vGW Series provides predefined network objects for well-known IP address ranges and prefixes that you can use in policy rule terms for either source or destination addresses. It also provides network objects for other IPv6 and IPv4 addresses. This section covers both groups.

Note: Prior to vGW Series Release 5.5, you used the Settings module Security Settings > Global Settings Rules pane to control broadcast and multicast settings. As of Release 5.5, you can no longer set these parameters from the Global Settings Rules pane. Rather, you must use the corresponding network object in a policy rule to control the firewall behavior.

Predefined Network Objects for Well Known IP Addresses

vGW Series provides the following predefined network objects that you can use in policy rule terms as either source or destination addresses:

Additional IPv4 and IPv6 Predefined Network Objects

Related Documentation