Network

A network object represents one or more IP addresses. You can use network objects and groups in various places, including access control policies, network variables, identity rules, network discovery rules, event searches, reports, identity policies, and so on.

When you configure an option that requires a network object, the list is automatically filtered to show only those objects that are valid for the option. For example, some options require host objects, while other options require subnets.

A network object can be one of the following types:

Host

A single IP address.

IPv4 example:

209.165.200.225

IPv6 example:

2001:DB8::0DB8:800:200C:417A or 2001:DB8:0:0:0DB8:800:200C:417A

Range

A range of IP addresses.

IPv4 example:

209.165.200.225-209.165.200.250

IPv6 example:

2001:db8:0:cd30::1-2001:db8:0:cd30::1000

Network

An address block, also known as a subnet.

IPv4 example:

209.165.200.224/27

IPv6 example:

2001:DB8:0:CD30::/60

Note

Security Intelligence ignores IP address blocks using a /0 netmask.

FQDN

A single fully-qualified domain name (FQDN). You can limit FQDN resolution to IPv4 address only, IPv6 address only, or both IPv4 and IPv6 addresses. FQDNs must begin and end with a digit or letter. Only letters, digits, and hyphens are allowed as internal characters in an FQDN.

For example:

  • www.example.com
Note

You can use FQDN objects in access control rules and prefilter rules, or manual NAT rules, only. The rules match the IP address obtained for the FQDN through a DNS lookup. To use an FQDN network object, ensure you have configured the DNS server settings in DNS Server Group and the DNS platform settings in DNS.

You cannot use FDQN network objects in identity rules.

Group

A group of network objects or other network object groups. You can create nested groups by adding one network object group to another network object group. You can nest up to 10 levels of groups.

Note

You can add up to 100 network literals in a network object. Additionally, each nested network object group can contain a maximum of 100 network literals.

If you are using Cloud-delivered Firewall Management Center

When you create a network object or group, the object is replicated in the Objects > FTD Network Objects page in Cisco Security Cloud Control and vice-versa.

You can use the objects on the Objects > FTD Network Objects page when specifying networks while configuring other Security Cloud Control-managed products, such as ASA or FDM.

Changes you make to network objects or groups in either list are reflected in the object or group instance in both lists. Deleting an object or group from either list also deletes its corresponding object or group from the other list.

Exception: If an object created on the Security Cloud Control list has the same name as an existing object on the Cloud-delivered Firewall Management Center list, the object will not be replicated on the Cloud-delivered Firewall Management Center list.