Home > Security and SD-WAN > Firewall and Traffic Shaping > Network Objects Configuration Guide

Network Objects Configuration Guide

Overview 

Network Objects provide easier management of firewall rules. They serve as labels to IP Subnets and FQDN that can be used on access policies such as firewall rules. If there are needs to modify multiple access policies that use the same IP Subnets or FQDN, you only need to modify the Network Object to have it reflect on all policies.

For additional highlights of the feature, please see Network Objects Highlights.

Use Case 

Network Objects are ideal for networks that have large and complex firewall rules. This feature simplifies management of firewall rules and allows rules to be easily identified.

Feature

Network Objects can be centrally managed through Organization > Network Objects. It is an organization-wide feature shared with all networks within the organization. 

Network Objects can contain:

  • IP Address
  • IP Subnet (CIDR)
  • FQDN and Wildcard FQDN

Network Groups can contain:

  • One or more Network Objects

 

Network Objects/Groups can be applied in the below firewall rules:

  • Individual and Template Networks: Layer 3 Inbound, Layer 3 Outbound, and Failover Cellular Firewall Rules
  • Organization-wide Site to Site VPN Outbound Firewall Rules

Note:

  • At this moment, Network Objects/Groups cannot be applied to Group Policies.
  • FQDN and Wildcard FQDN can only be applied to Layer 3 Outbound Firewall Rules. At this time, they cannot be applied to Site to Site VPN Outbound Firewall Rules.

Prerequisites

To enable Open-Beta Network Objects, please navigate to Organization > Network Objects. You will be prompted with the below informational page. After reviewing, please click on Start Beta to begin.

Screen Shot 2020-07-24 at 1.00.11 PM.png

Network Objects is currently an Open-Beta feature. It is recommended to first test this feature in an isolated lab environment before moving to production.

Administration

Network Objects is an Organization-wide feature. The below details the different Network Objects access for an Organization and Network Administrator.

  Organization Administrator Network Administrator
Create Network Objects/Groups Yes No
Convert Existing IP, CIDR and FQDNs to Network Objects Yes No
Access Network Objects Management Page (Organization > Network Objects) Yes No
Apply Network Objects to Firewall Rules Yes Yes

Configuration

Managing Network Objects

Network Objects can be centrally managed in Organization > Network Object

Creating Network Objects

Network Object is a label that contains either an IP Address (192.168.1.1/32), IP Subnet (192.168.1.0/24), FQDN (www.example.com) or Wildcard FQDN (*.example.com).

Note: If a Network Object is created to contain a root domain (example.com), Wildcard FQDN (*.example.com) is automatically assumed.

  1. To create a new Network Object, navigate to Organization > Network Objects > All Objects > Add New

Screen Shot 2020-07-30 at 3.56.33 PM.png

  1. After successfully creating Network Objects, the Network Objects All Objects tab management page should look like the below.

Screen Shot 2020-07-30 at 3.57.28 PM.png

Creating Network Groups

Network Group is a group that contains one or more Network Objects.

  1. To create a Network Group, navigate to Organization > Network Objects > Groups > Add new. In the pop up menu, you will be able to type in values (IP Address, IP Subnet, FQDN or Wildcard FQDN) in the Contains field to contain in the group. For each value, you must click on the auto-suggested options (new value or existing objects) to enter the entry in the Contains field.

Screen Shot 2020-07-30 at 3.50.26 PM.png

  1. For any new IP Addresses or FQDN entered, the next screen will require you to create a Network Object for the respective entry.

Screen Shot 2020-07-30 at 3.53.43 PM.png

  1. After successfully creating the Network Group, the Network Objects Groups tab management page should look like the below.

Screen Shot 2020-07-30 at 3.54.08 PM.png

Modifying Network Objects/Groups

For each Network Object/Group, you have the ability to create a new copy of the existing object/group, edit and delete. To perform a specific action, please select the appropriate icon shown below.

Screen Shot 2020-05-11 at 2.03.25 PM.png

Note: If a Network Object/Group is modified, the new changes will reflect on all firewall rules, where the respective Network Object/Group is referenced.

Applying Network Objects

Network Objects/Groups can be applied to

  • Individual and Template Networks: Layer 3 Inbound, Layer 3 Outbound, and Failover Cellular Firewall Rules.
  • Organization-wide Site to Site VPN Outbound Firewall Rules

Create a New Firewall Rule

  1. To create a new firewall rule, navigate to Security & SD-WAN > Firewall > Add new. Type the appropriate Network Group/Object name in the Source and Destination fields. Auto-suggestion will show existing Network Objects/Groups for you to choose from.

Screen Shot 2020-07-30 at 4.01.42 PM.png

  1. If additional rules need to be added, repeat the above process. After all rules are added and click on Finish editing and Save. 

Screen Shot 2020-07-30 at 4.06.02 PM.png

Creating Network Objects/Groups within Firewall Rules

As a shortcut, Network Objects/Groups can also be created when clicking into the Source and Destination fields in the respective rule. Once a value is typed in the Source or Destination field, click on the appropriate auto-suggested option.

Screen Shot 2020-07-30 at 4.24.23 PM.png

You will then have the ability to convert the value into a Network Object and contain it in a Network Group.

Screen Shot 2020-07-30 at 4.24.34 PM.png

Please note that if you click on an existing Network Object, the option to contain it in a Network Group will present as well.
Screen Shot 2020-07-30 at 4.29.07 PM.png

Modify Existing Rule

To modify an existing rule, click on Screen Shot 2020-05-11 at 5.37.36 PM.pngunder the Actions column for the respective rule. The actions that you can choose to perform are below.

Screen Shot 2020-05-11 at 5.39.24 PM.png

In addition, you have the ability to move a rule higher or lower in the firewall rules table by clicking and dragging on Screen Shot 2020-05-11 at 5.42.20 PM.pngfor the respective rule.

Removing Network Object from Existing Rule

To remove a Network Object from an existing rule, click Screen Shot 2020-05-11 at 5.37.36 PM.pngfor the respective rule and click Edit. This will enter you into edit mode for the rule. Click on the Network Object you wish to remove and hit Backspace or Delete twice on your keyboard. Hitting Backspace or Delete once on your keyboard will display the below pop up alert asking if you want to remove the Network Object. Hitting the Backspace or Delete a second time will result in removing the Network Object. After the Network Object is removed, remember to click Finish editing and Save.
Screen Shot 2020-07-30 at 4.31.44 PM.png

Bulk Edit and Delete Rules

To edit or delete several rules at once, check the desired rules and click More actions > choose either Bulk edit or Bulk delete.

Screen Shot 2020-07-30 at 4.47.42 PM.png

Converting Existing Rules to use Network Objects

It is possible to convert previously configured IP Addresses, IP Subnets and FQDNs in existing firewall rules to utilize Network Objects. To do so, edit the rule by clicking Screen Shot 2020-05-11 at 5.37.36 PM.png for the respective rule and click on the IP Address, IP Subnet or FQDN. A pop up will appear asking to input a Network Object name to create a new Network Object.

Screen Shot 2020-07-30 at 4.35.25 PM.png

Example of Firewall Rules using Network Objects/Groups

Screen Shot 2020-07-30 at 4.41.55 PM.png

Compatibility

Network Objects can be applied alongside our existing VLAN Objects used in Template Networks Firewall Rules.

VLAN Objects

VLAN Objects are solely used to represent Template created VLANs. They can only be created and modified within Template Network Firewall Rules. For additional information regarding VLAN Objects, please refer to:

Managing Multiple Networks with Configuration Templates

MX Templates Best Practices

Example of Template Firewall Rules using Both Network and VLAN Objects

Screen Shot 2020-05-15 at 4.01.56 PM.png

API

APIs can be used to create, modify and apply Network Objects/Groups to firewall rules. For a list of supported APIs, please navigate to Help > API docs. When creating a Network Object/Group, the Network Object/Group will correlate to an ID. This ID is an unique identifier for the created Network Object/Group. To update, delete or apply the created Network Object or Group, you will need to reference this ID in the respective format OBJ[ID] or GRP[ID]. You can see a full list of created Network Objects/Groups and their respective IDs by utilizing the API call corresponding to listing Network Objects/Groups for the entire Organization.

Example of Creating a Network Object Using API

HTTP Request to create a Network Object named "Test Object" for subnet "10.0.0.0/24":

curl -L -H 'X-Cisco-Meraki-API-Key: <key>' -H 'Content-Type: application/json' -X POST --data-binary '{"name":"Test Object","type":"ipv4Cidr","value":"10.0.0.0/24","networkObjectGroupIds":[]}' 'https://api.meraki.com/api/v0/organizations/{organizationId}/networkObjects'

HTTP Successful Response. Note "id" correlates to the unique id of the created Network Object:

{   "id": "1234",  
    "name": "Test Object",
    "type": "ipv4Cidr",  
    "value": "10.0.0.0/24",  
    "created_at": "2018-05-12T00:00:00Z",  
    "updated_at": "2018-05-12T00:00:00Z",  
    "networkObjectGroupIds": [   ],  
    "networkIds": [   ]}

Example of Applying a Network Object to a Layer 3 Firewall Rule Using API

HTTP Request to apply the previously created Network Object to the Source field of a Firewall Rule. Note that the ID was used to reference the Network Object (OBJ[ID] ).

curl -L -H 'X-Cisco-Meraki-API-Key: <key>' -H 'Content-Type: application/json' -X PUT --data-binary '{"rules":[{"comment":"Test Rule","policy":"allow",","protocol":"tcp","destPort":Any,"destCidr":"Any",
"srcPort":"Any","srcCidr":"OBJ[1234]","syslogEnabled":false}]}' 'https://api.meraki.com/api/v0/organizations/{organizationId}/networks/{networkId}/FirewallRules'

HTTP Successful Response:

  {     "comment": "Test Rule",     
        "policy": "allow",     
        "protocol": "tcp",     
        "destPort": Any,     
        "destCidr": "Any",     
        "srcPort": "Any",     
        "srcCidr": "OBJ[1234]",     
        "syslogEnabled": false   }
Last modified

Tags

Classifications

This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 9237

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community