- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-29-2013 11:45 AM - edited 03-11-2019 07:57 PM
Hi Everyone,
Need to understand about object-group network below
when i run the command sh run object-group id subnet
on fw1 it shows
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
Same command on firewall 2 shows
network-object object 10.0.0.0
network-object object 172.16.0.0
network-object object 192.168.0.0
Need to understand if contents of both the firewall are same?
also if i remove config below from fw2
network-object object 10.0.0.0
network-object object 172.16.0.0
network-object object 192.168.0.0
and add the
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
which are same as fw 1 will it make any difference to the fw2?
Regards
Mahesh
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-29-2013 01:02 PM
Hi again Mahesh,
The FW1 "object-group" defines the actual networks under with with the command "network-object".
The FW2 "object-group" defines the actual networks under with the command "network-object object". The "object" refers to a "object network".
So on FW2 you would need to issue these commands
show run object id 10.0.0.0
show run object id 172.16.0.0
show run object id 192.168.0.0
Then you will see the contents of the actual "object network" that are used UNDER the "object-group"
Their names do suggest that they would contain identical networks to the ones on FW1 but better be sure.
So it seems to me the only difference is how the same thing is configured.
FW1 has networks directly configured under "object-group" while the FW2 uses "object network" to define the networks and then groups those "object network" under one "object-group".
Hope this clarifies things
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-29-2013 02:07 PM
Hi,
Had not tested this myself before to I configured this on my firewall
object network TEST
subnet 10.10.10.0 255.255.255.0
object network TEST-2
subnet 10.10.20.0 255.255.255.0
object-group network TEST-GROUP
network-object object TEST
network-object object TEST-2
network-object 10.10.10.0 255.255.255.0
network-object 10.10.20.0 255.255.255.0
access-list TEST extended permit ip object-group TEST-GROUP any
ASA(config)# sh access-list TEST
access-list TEST; 4 elements; name hash: 0xd37fdb2b
access-list TEST line 1 extended permit ip object-group TEST-GROUP any 0x47cc12eb
access-list TEST line 1 extended permit ip 10.10.10.0 255.255.255.0 any (hitcnt=0) 0x365de33c
access-list TEST line 1 extended permit ip 10.10.20.0 255.255.255.0 any (hitcnt=0) 0xc98d1b29
access-list TEST line 1 extended permit ip 10.10.10.0 255.255.255.0 any (hitcnt=0) 0x365de33c
access-list TEST line 1 extended permit ip 10.10.20.0 255.255.255.0 any (hitcnt=0) 0xc98d1b29
It would seem to work even though it creates an ACL that has overlapping rules but this is nothing new when you deal with "object-group" and ACLs.
I would imagine that as long as you are doing the changes under the same "object-group" then traffic should not be affected. The traffic that is already been allowed through the firewall will keep on going through the firewall and naturally new connections should still match the ACL rule since the same network should be in the ACL all the time since if you first add the new lines and then remove the old.
I would imagine that this "object-group" is probably used in the some "deny" statement in an ACL since it lists all the Private IP address ranges.
You can naturally browse through the configuration to see where this "object-group" is used with
show run | inc
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-29-2013 01:02 PM
Hi again Mahesh,
The FW1 "object-group" defines the actual networks under with with the command "network-object".
The FW2 "object-group" defines the actual networks under with the command "network-object object". The "object" refers to a "object network".
So on FW2 you would need to issue these commands
show run object id 10.0.0.0
show run object id 172.16.0.0
show run object id 192.168.0.0
Then you will see the contents of the actual "object network" that are used UNDER the "object-group"
Their names do suggest that they would contain identical networks to the ones on FW1 but better be sure.
So it seems to me the only difference is how the same thing is configured.
FW1 has networks directly configured under "object-group" while the FW2 uses "object network" to define the networks and then groups those "object network" under one "object-group".
Hope this clarifies things
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-29-2013 01:54 PM
Hi Jouni,
On fw2 i did
sh run object id 10.0.0.0
object network 10.0.0.0
subnet 10.0.0.0 255.0.0.0
Seems this is same as Fw1.
As i am doing some cleanup work on firewalls if on fw 2 i add
network-object 10.0.0.0 255.0.0.0 and then delete the network-object object 10.0.0.0 it should not cause any outage right?
IF i implemented the above will iy cause any issues in ACL where above objects are used?
Regards
MAhesh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-29-2013 02:07 PM
Hi,
Had not tested this myself before to I configured this on my firewall
object network TEST
subnet 10.10.10.0 255.255.255.0
object network TEST-2
subnet 10.10.20.0 255.255.255.0
object-group network TEST-GROUP
network-object object TEST
network-object object TEST-2
network-object 10.10.10.0 255.255.255.0
network-object 10.10.20.0 255.255.255.0
access-list TEST extended permit ip object-group TEST-GROUP any
ASA(config)# sh access-list TEST
access-list TEST; 4 elements; name hash: 0xd37fdb2b
access-list TEST line 1 extended permit ip object-group TEST-GROUP any 0x47cc12eb
access-list TEST line 1 extended permit ip 10.10.10.0 255.255.255.0 any (hitcnt=0) 0x365de33c
access-list TEST line 1 extended permit ip 10.10.20.0 255.255.255.0 any (hitcnt=0) 0xc98d1b29
access-list TEST line 1 extended permit ip 10.10.10.0 255.255.255.0 any (hitcnt=0) 0x365de33c
access-list TEST line 1 extended permit ip 10.10.20.0 255.255.255.0 any (hitcnt=0) 0xc98d1b29
It would seem to work even though it creates an ACL that has overlapping rules but this is nothing new when you deal with "object-group" and ACLs.
I would imagine that as long as you are doing the changes under the same "object-group" then traffic should not be affected. The traffic that is already been allowed through the firewall will keep on going through the firewall and naturally new connections should still match the ACL rule since the same network should be in the ACL all the time since if you first add the new lines and then remove the old.
I would imagine that this "object-group" is probably used in the some "deny" statement in an ACL since it lists all the Private IP address ranges.
You can naturally browse through the configuration to see where this "object-group" is used with
show run | inc
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-29-2013 02:22 PM
Hi Jouni,
When i will do this change hope all should go fine.
I ran the command show run | inc
So i will do this change on our maintenance window
Regards
Mahesh
