Skip to main content

 

Cisco Meraki Documentation

Network Objects Highlights

Overview

Network Objects provide simpler management for firewall rules. At a glance, Network Objects map a name to a specific Source/Destination value: IP address, IP Subnet, FQDN or Wildcard FQDN. This easily allows network administrators to correlate firewall Source/Destination values to a more human-readable identifier. Ultimately, the intention of each firewall rule will be clear to network administrators.

 

In addition to creating 1 to 1 mappings of Network Objects, we can also contain multiple Network Objects in a Network Object Group. The advantage of grouping Network Objects is to further categorize Source or Destination values that are often referenced together in single or multiple rules. This simplifies firewall rule creation, where the same set of values are repeatedly referenced.

 

The main advantage of Network Objects comes from the single Network Objects management page. Here, we are able to create/modify/delete Network Objects and Groups. When a Network Object/Group is modified on the central management page, all firewall rules where this Network Object/Group is referenced will automatically reflect the new change. This is highly beneficial to network administrators making adjustments to large firewall rulesets.

Use Cases

Configuring Simplified Rulesets

With the standard firewall rule table (shown below), it is difficult to interpret the intention of the rule reading the Source/Destination values. For the below two rules, a network administrator would not be able to identify their purpose by simply looking at the firewall rules table.

Screenshot from dashboard Security and SD-WAN > firewall > L3_rules with two deny rules in place.

With Network Objects, we can correlate the Source/Destination values to human-readable names. This way, the firewall rules table clearly displays the intention of each and every rule. For the example below, our network administrators named IP Subnets by their respective departments. Hovering over a Network Object will allow you to see its correlating value.

Screenshot from dashboard Security and SD-WAN > firewall > L3_rules with the same two rules in place using objects.

To further tailor the rule to a specific network, network administrators may want to group departments into project working groups, locations in their building or etc. For the example below, we chose to group departments by their location. When we hover over the group, we can easily see the contained Network Objects, and their correlating values and interpret the intention of the rule.

Screenshot from dashboard Security and SD-WAN > firewall > L3_rules with two rules in place via network objects. Hovering over the object shows the contents of the object.

Manage Rulesets at Scale

For networks with large rulesets or rulesets that repeatedly reference the same Source/Destination values, it is beneficial for Network Administrators to be able to modify the Source/Destination values at one convenient location for it to reflect on all referenced rulesets. Network Objects provides a central management page, which allows such modifications at scale.


With the standard firewall rule table, if we want to modify a specific Source/Destination value for every ruleset where it is referenced, we have to manually edit it on every rule. Consider the below example, where we wish to change 192.168.1.0/24 to 192.168.2.0/24 for all rules that currently reference 192.168.1.0/24. In order to accomplish this, we have to navigate to every rule and manually make the adjustment.

Screenshot from dashboard Security and SD-WAN > firewall > L3_rules with four rules in place without network objects.

With Network Objects, we can accomplish the above with just one edit on the central Network Objects management page. For the below example, Network Object named Support currently correlates to 192.168.1.0/24. To change 192.168.1.0/24 to 192.168.2.0/24 and have it reflect on all referenced firewall rules, we only have to edit the Support Network Object. The images below show Network Objects before and after the modification.


New Firewall Table with rulesets referencing Support Network Objects:

Screenshot from dashboard Security and SD-WAN > firewall > L3_rules with the same four rules in place via network objects.

Network Objects central management page (Objects view) showing Support Network Object correlating to value 192.168.1.0/24.

Screenshot from dashboard Organization > Configure > Network-Objects.

Network Objects central management page (Object Groups view) showing Support Network Objects contained in Group 2nd Floor.

Screenshot from dashboard Organization > Configure > Network Objects.

Once we change the Support Network Objects to correlate to 192.168.2.0/24, the new value reflects in all places where the Network Objects is referenced.
Screenshot from dashboard Organization > Configure > Network Objects.

Network Objects central management page (Objects Groups view) showing Support Network Objects, in the Group 2nd Floor, with its new value (192.168.2.0/24).

Screenshot from dashboard Organization > Configure > Network Objects.

Firewall Rule table showing all rulesets referencing Support Network Objects with its new value (192.168.2.0/24).

Screenshot from dashboard Security and SD-WAN > firewall > L3_rules with the rules in place using objects.

Screenshot from dashboard Security and SD-WAN > firewall > L3 rules with the rules in place using objects.

Network Objects Configuration Guide

For configuration specific guide, please refer to Network Objects Configuration Guide.

  • Was this article helpful?