Contents

Configuring object groups· 1

About object groups· 1

Restrictions and guidelines: Object group configuration· 1

Configuring an IPv4 address object group· 1

Configuring an IPv6 address object group· 2

Configuring a port object group· 2

Configuring a service object group· 2

Renaming an object group· 3

Display and maintenance commands for object groups· 3

 

Configuring object groups

About object groups

An object group is a group of objects that can be used by an ACL, object policy, or object group to identify packets. Object groups are divided into the following types:

·     IPv4 address object group—A group of IPv4 address objects used to match the IPv4 address in a packet or match the user from whom a packet comes.

·     IPv6 address object group—A group of IPv6 address objects used to match the IPv6 address in a packet or match the user from whom a packet comes.

·     Port object group—A group of port objects used to match the protocol port number in a packet.

·     Service object group—A group of service objects used to match the upper-layer service in a packet.

Restrictions and guidelines: Object group configuration

You cannot edit an object group if the group is used by a global static NAT rule.

Configuring an IPv4 address object group

1.     Enter system view.

system-view

2.     Create an IPv4 address object group and enter its view.

object-group ip address object-group-name

The system has one default IPv4 address object group named any.

3.     (Optional.) Configure a description for the IPv4 address object group.

description text

By default, an object group does not have a description.

4.     Configure an IPv4 address object.

[ object-id ] network { host { address ip-address | name host-name } | subnet ip-address { mask-length | mask | wildcard wildcard } | range ip-address1 ip-address2 | group-object object-group-name }

5.     Exclude an IPv4 address or a subnet from the IPv4 address object.

object-id network exclude { ip-address | subnet ip-address { mask-length | mask } }

By default, no IPv4 address in an IPv4 address object is excluded.

6.     Exclude a host name from the IPv4 address object.

object-id network exclude host-name host-name

By default, no host name in an IPv4 address object is excluded.

7.     (Optional.) Specify a security zone for the IPv4 address object group.

security-zone security-zone-name

By default, no security zone is specified for an IPv4 address object group.

Configuring an IPv6 address object group

1.     Enter system view.

system-view

2.     Create an IPv6 address object group and enter its view.

object-group ipv6 address object-group-name

The system has one default IPv6 address object group named any.

3.     (Optional.) Configure a description for the IPv6 address object group.

description text

By default, an object group does not have a description.

4.     Configure an IPv6 address object.

[ object-id ] network { host { address ipv6-address | name host-name } | subnet ipv6-address prefix-length | range ipv6-address1 ipv6-address2 | group-object object-group-name }

5.     Exclude an IPv6 address or a subnet from the IPv6 address object.

object-id network exclude { ip-address | subnet ipv6-address prefix-length }

By default, no IPv6 address in an IPv6 address object is excluded.

6.     Exclude a host name from the IPv6 address object.

object-id network exclude host-name host-name

By default, no host name in an IPv6 address object is excluded.

7.     (Optional.) Specify a security zone for the IPv6 address object group.

security-zone security-zone-name

By default, no security zone is specified for an IPv6 address object group.

Configuring a port object group

1.     Enter system view.

system-view

2.     Create a port object group and enter its view.

object-group port object-group-name

The system has one default port object group named any.

3.     (Optional.) Configure a description for the port object group.

description text

By default, an object group does not have a description.

4.     Configure a port object.

[ object-id ] port { { eq | lt | gt } port | range port1 port2 | group-object object-group-name }

Configuring a service object group

1.     Enter system view.

system-view

2.     Create a service object group and enter its view.

object-group service object-group-name

The system has multiple default service object groups.

3.     (Optional.) Configure a description for the service object group.

description text

By default, an object group does not have a description.

4.     Configure a service object.

[ object-id ] service { protocol [ { source { { eq | lt | gt } port | range port1 port2 } | destination { { eq | lt | gt } port | range port1 port2 } } * | icmp-type icmp-code | icmpv6-type icmpv6-code ] | group-object object-group-name }

Renaming an object group

1.     Enter system view.

system-view

2.     Rename an object group.

object-group rename old-object-group-name new-object-group-name

You can only rename non-default object groups.

Display and maintenance commands for object groups

Execute display commands in any view.

 

Task	Command
Display information about object groups.	display object-group [ { { ip | ipv6 } address | service | port } [ default ] [ name object-group-name ] | name object-group-name ]
Display IPv4 or IPv6 addresses for host names.	display object-group { ip | ipv6 } host { object-group-name object-group-name | name host-name } *