Understanding of group-object within object-group

mahesh18 — Tue, 12 Mar 2019 02:04:43 GMT

Hi Everyone,

I know about object-group network and we define network object host under them.

But config below shows

when i run command sh run object-group id X_servers it shows

sh run object-group id X_Servers

object-group network X_Servers

network-object host 192.168.50.8

group-object X_DC

network-object host 192.168.50.10

network-object host 192.168.50.18

network-object host 192.168.50.9

network-object host 192.168.50.66

network-object host 192.168.50.19

network-object host 192.168.50.78

network-object host xyz

network-object host 192.168.50.77

group-object X_ES

network-object host 192.168.50.14

network-object host 192.168.50.55

network-object host 192.168.50.152

Need to understand what are group-objects here and why we use them?

Regards

Mahesh

Re: Understanding of group-object within object-group

Jouni Forss — Fri, 28 Jun 2013 20:51:31 GMT

Hi Mahesh,

The "group-object" essentially defines an "object-group" inside another "object-group"

Take this example from my own firewall that I just did

object-group network TEST-1

network-object host 1.1.1.1

network-object host 1.1.1.2

network-object host 1.1.1.3

object-group network TEST-2

network-object host 1.1.1.4

network-object host 1.1.1.5

network-object host 1.1.1.6

object-group network TEST-COMBINED

group-object TEST-1

group-object TEST-2

access-list TEST extended permit ip any object-group TEST-COMBINED

Then we can have a look at the actual "access-list" in opened form

show access-list TEST

access-list TEST line 2 extended permit ip any object-group TEST-COMBINED 0x26d4a4c0

access-list TEST line 2 extended permit ip any host 1.1.1.1 (hitcnt=0) 0x6e3aac07

access-list TEST line 2 extended permit ip any host 1.1.1.2 (hitcnt=0) 0xfbaa7dde

access-list TEST line 2 extended permit ip any host 1.1.1.3 (hitcnt=0) 0x110123ec

access-list TEST line 2 extended permit ip any host 1.1.1.4 (hitcnt=0) 0x3c83a140

access-list TEST line 2 extended permit ip any host 1.1.1.5 (hitcnt=0) 0x7f20bf16

access-list TEST line 2 extended permit ip any host 1.1.1.6 (hitcnt=0) 0x65046d97

So as you can see, we have configured 2 "object-group network" named "TEST-1" and "TEST-2". Then we have configured an "object-group" called "TEST-COMBINED" and added the abovementioned 2 "object-group" under it by using the command "group-object".

Then we use that single "object-group" in an ACL.

Why would we use them? Well personally I wouldnt and I dont

But I would have to imagine that if you had several groups of hosts/networks/servers that you had grouped together in their own separate "object-group" and then would want to also include all those hosts/networks/servers in some "access-list" you could then first group them inside another "object-group" and use this created "object-group" to configure the ACL rule rather than use multiple lines of ACLs with all the different "object-group"

But as I said, I have never really used this. When configuring the ASA on the CLI side this would make my life a lot harder. I would imagine that some people using the ASDM might use this more but I dont see any added benefit in it for me personally.

In your above case you could use the commands

show run object-group id X_DC

show run object-group id X_ES

To view the contents of those "object-group"

Hope this helps

- Jouni

Understanding of group-object within object-group

mahesh18 — Sat, 29 Jun 2013 15:42:28 GMT

Hi jouni,

Many thanks it helped a lot.

Regards

MAhesh

topic Re: Understanding of group-object within object-group in Network Security

Understanding of group-object within object-group

Re: Understanding of group-object within object-group

Understanding of group-object within object-group