• November 13, 2024

Reusable Objects – Cisco Network Discovery Policy

Reusable Objects

Managing the rules using IP addresses could be cumbersome when you have an access control policy with thousands of rules. However, if you use objects in a rule, you don’t need to remove the old rule and add a new one to reflect the new IP addresses; rather, you simply edit and update the value of the related named object. After you redeploy the policy, the new values of the objects are applied automatically in the ruleset.

Creating named objects for the network resources and reusing them in access control or discovery rules are optional; however, it helps you to manage configurations in the long term. For example, in your network discovery policy, you can exclude all the load balancers from being monitored by Secure Firewall. To do that, you can add them in a discovery rule one by one. Next time, if any IP addresses are changed, you need to remove the rule and add the new ones to reflect the changes.

Secure Firewall allows you to create named objects for network addresses, port numbers, interfaces, VLAN tags, URLs, time ranges, access lists, and many more variable components in a policy. You can also group multiple objects into a single configuration, which is called an object group. Furthermore, you can invoke an object group into another object group. This type of object is called a nested object.

You can add, delete, and modify an object by navigating to Objects > Object Management on the GUI. On the left panel of the Object Management page is a list of components that you can group into objects. A management center comes with predefined objects that are based on well-known addresses or port numbers. You can use them in a policy but cannot modify their values.

Figure 9-7 shows a list of network objects as an example. If an object is modifiable, it provides an option (a pencil icon) to edit.

  

Figure 9-7 Network Objects

To add an object of a particular type, select the object type from the left panel. For example, Figure 9-8 and Figure 9-9 show the configuration windows of a network object and port object, respectively. You can also create an object on the fly directly from the rule editor window, which is shown in Figure 9-11, later in the chapter.

  

Figure 9-8 Network Object Configuration Window

  

Figure 9-9 Port Object Configuration Window

Figure 9-10 Default Rule for a Network Discovery Policy

  

Figure 9-11 Adding a Rule to Exclude a Network Object

Leave a Reply

Your email address will not be published. Required fields are marked *