topic Re: FTD Object-Group Wildcards in Network Security

FTD Object-Group Wildcards

JimWicks — Tue, 25 Apr 2023 19:55:04 GMT

Hello all, I am trying to define FTD1150 using Firepower Device Manager and I want to permit deivces on any of my subnets with the same 4th octet at the host-portion of the address, so for example matching any from 10.1.1.250/24, 10.1.2.250/24, 10.1.3.250/24, etc and I was hoping to use a mask on the network-object-group to define this in a single rule like you would on an ACL using "0.0.255.0"

Unfortunately the only option in network-object config GUI in FDM allows for the mask to be defined as a prefix-length and not a 32-bit mask and therefore is my only option to define all (several hundred) host-objects then bundle them all under a network-group to configure the permit access-policy or is there a more elegant method that I missing ?

Thanks.

Re: FTD Object-Group Wildcards

MHM Cisco World — Tue, 25 Apr 2023 20:09:00 GMT

If I understand it correctly then you can use

0.0.3.255 as wildcard this will include all host from all subnet.

Re: FTD Object-Group Wildcards

JimWicks — Tue, 25 Apr 2023 20:17:38 GMT

Unfortunately I am not looking to match all hosts from all subnets, I only want the host with 4th octet=250 from all subnets and hence defining the network object with a /24 won't work and the host-object does not allow a mask to be configured.

Re: FTD Object-Group Wildcards

MHM Cisco World — Tue, 25 Apr 2023 20:24:58 GMT

Config object network for each host in each subnet

Then config object group include all object network and use it in acl.