Skip to main content

 

 

Cisco Defense Orchestrator

Create or Edit a Firepower Network Object or Network Group

About Network Objects

A Firepower network object can contain a hostname, an IP address or a subnet address expressed in CIDR notation. Network groups are conglomerates of network objects and network groups that are used in access rules, network policies, and NAT rules. You can create, read, update, and delete network objects and network groups using CDO.

IP addresses that can be added to network objects

Device type IPv4 / IPv6 Single Address Range of addresses Partially Qualified Domain Name (PQDN) Subnet using CIDR Notation
Firepower IPv4 / IPv6 Yes Yes Yes Yes

Create a Firepower Network Object

  1. In the CDO navigation bar on the left, click Objects
  2. Click the blue plus button blue_cross_button.png to create an object.
  3. Click FTD > Network.
  4. Enter an Object Name.
  5. Select Create a network object.
  6. In the Value section:
  • Select eq and enter a single IP address, a subnet address expressed in CIDR notation, or a Partially Qualified Domain Name (PQDN).
  • Select range and enter an IP address range. 
  1. Click Add.

Create a Firepower Network Group

A Network Group can contain network objects and network groups. When you create a new Network Group, you can search for existing objects by their name, IP addresses, IP address range, or FQDN and add them to the Network Group. If the object isn’t present, you can instantly create that object in the same interface and add it to the Network Group. 

  1. In the CDO navigation bar on the left, click Objects
  2. Click the blue plus button blue_cross_button.png to create an object.
  3. Click FTD > Network.
  4. Enter an Object Name.
  5. Select Create a network group.
  6. In the Values field, enter a value or name. When you start typing, CDO provides object names or values that match your entry. 
  7. You can choose one of the existing objects shown or create a new one based on the name or value that you have entered.
  8. If CDO finds a match, to choose an existing object, click Add to add the network object or network group to the new network group. 
  9. If you have entered a value or object that is not present, you can perform one of the following:
    • Click Add as New Object With This Name to create a new object with that name. Enter a value and click the checkmark to save it.
    • Click Add as New Object to create a new object. The object name and value are the same. Enter a name and click the checkmark to save it.

It's is possible to create a new object even though the value is already present. You can make changes to those objects and save them. 

Note: You can click the edit icon to modify the details. Clicking the delete button doesn’t delete the object itself; instead, it removes it from the network group.

  1. After adding the required objects, click Save to create a new Network Group.
  2. Preview and Deploy Configuration Changes for All Devices.

Edit a Firepower Network Object

  1. In the CDO navigation bar on the left, click Objects
  2. Locate the object you want to edit by using object filters and search field.
  3. Select the network object and click the edit icon edit.png in the Actions pane.
  4. Edit the values in the dialog box in the same fashion that you created them in "Create a Firepower Network Group".
    Note: Click the delete icon next to remove the object from the network group. 
  5. Click Save.
    CDO displays the devices that will be affected by the change.
  6. Click Confirm to finalize the change to the object and any devices affected by it.

Edit a Firepower Network Group

  1. In the CDO navigation bar on the left, click Objects
  2. Locate the network group you want to edit by using object filters and search field.
  3. Select the network group and click the edit icon edit.png in the Actions pane.
  4. Change the object name and description if needed. 
  5. If you want to change the objects or network groups that are already added to the network group, perform the following steps:
    1. Click the edit icon Edit_NetworkObject.JPG appearing beside the object name or network group to modify them.
    2. Click the checkmark to save your changes.
      Note: You can click the remove icon to delete the value from a network group. 
  6. If you want to add new network objects or network groups to this network group, you have to perform the following steps:
    1. In the Values field, enter a new value or the name of an existing network object. When you start typing, CDO provides object names or values that match your entry. You can choose one of the existing objects shown or create a new one based on the name or value that you have entered.
    2. If CDO finds a match, to choose an existing object, click Add to add the network object or network group to the new network group.
    3. If you have entered a value or object that is not present, you can perform one of the following:
      • Click Add as New Object With This Name to create a new object with that name. Enter a value and click the checkmark to save it.
      • Click Add as New Object to create a new object. The object name and value are the same. Enter a name and click the checkmark to save it. 

It's is possible to create a new object even though the value is already present. You can make changes to those objects and save them. 

  1. Click Save.
    CDO displays the policies that will be affected by the change.
  2. Click Confirm to finalize the change to the object and any devices affected by it.
  3. Preview and Deploy Configuration Changes for All Devices.

Add Additional Values to a Shared Network Group

The values in a shared network group that are present on all devices associated with it are called “default values”. CDO allows you to add "additional values" to the shared network group and assign those values to some devices associated with that shared network group. When CDO deploys the changes to the devices, it determines the contents and pushes the "default values" to all devices associated with the shared network group and the "additional values" only to the specified devices.

For example, consider a scenario where you have four AD main servers in your head office that should be accessible from all your sites. Therefore, you have created an object group named “Active-Directory” to use it in all your sites. Now you want to add two more AD servers to one of your branch offices. You can do this by adding their details as additional values specific to that branch office on the object group "Active-Directory". These two servers do not participate in determining whether the object “Active-Directory” is consistent or shared. Therefore, the four AD main servers are accessible from all your sites, but the branch office (with two additional servers) can access two AD servers and four AD main servers.

  1. In the CDO navigation bar on the left, click Objects
  2. Locate the shared network group you want to edit by using object filters and search field.
  3. Click the edit icon edit.png in the Actions pane.
    • The Devices field shows the devices the shared network group is present. 
    • The Usage field shows the rulesets associated with the shared network group.
    • The Default Values field specifies the default network objects and their values associated with the shared network group that was provided during their creation. Next to this field, you can see the number of devices that contain this default value, and you can click to see their names and device types. You can also see the rulesets associated with this value.
  4. In the Additional Values field, enter a value or name. When you start typing, CDO provides object names or values that match your entry. 
  5. You can choose one of the existing objects shown or create a new one based on the name or value that you have entered.
  6. If CDO finds a match, to choose an existing object, click Add to add the network object or network group to the new network group. 
  7. If you have entered a value or object that is not present, you can perform one of the following:
    • Click Add as New Object With This Name to create a new object with that name. Enter a value and click the checkmark to save it.
    • Click Add as New Object to create a new object. The object name and value are the same. Enter a name and click the checkmark to save it.

It's is possible to create a new object even though the value is already present. You can make changes to those objects and save them. 

  1. In the Devices column, click the cell associated with the newly added object and click Add Devices.
  2. Select the devices that you want and click OK
  3. Click Save.
    CDO displays the devices that will be affected by the change.
  4. Click Confirm to finalize the change to the object and any devices affected by it.
  5. Preview and Deploy Configuration Changes for All Devices.

Edit Additional Values in a Shared Network Group

  1. In the CDO navigation bar on the left, click Objects
  2. Locate the object having the override you want to edit by using object filters and search field.
  3. Click the edit icon edit.png in the Actions pane. 
  4. Modify the override value:
    • Click the edit icon to modify the value.
    • Click the cell in the Devices column to assign new devices. You can select an already assigned device and click Remove Overrides to remove overrides on that device. 
    • Click DownArrow.JPG arrow in Default Values to push and make it an additional value of the shared network group. All devices associated with the shared network group are automatically assigned to it.
    • Click UpArrow.JPG arrow in Override Values to push and make it as default objects of the shared network group.
    • Click the delete icon next to remove the object from the network group. 
  5. Click Save.
    CDO displays the devices that will be affected by the change.
  6. Click Confirm to finalize the change to the object and any devices affected by it.
  7. Preview and Deploy Configuration Changes for All Devices.
  • Was this article helpful?