The different types of objects

Host

Select a host in order to view or edit its properties. Each one of them has by default a name, an IP address and a DNS resolution (“Automatic” or “None (static IP)”).

Name of the object	Name given to the object during its creation. This field can be modified, and to save changes, you need to click on Apply and Save. The icon to the right of the checkbox allows obtaining the object’s IP address, which can be seen in the “IP address” field. To do so, the object’s full URL must be entered.
IPv4 address	IP address of the selected host.
DNS resolution	The DNS (Domain Name System) resolution matches IP addresses with a domain name. Two choices are possible: None (static IP): The selected object has a fixed IP address that will be used systematically. Automatic: If this option is selected, the firewall will submit DNS requests every 5 minutes in order to determine the IP address of the selected object.
MAC Address	Media Access Control address. This address corresponds to the physical address of a network interface or of a network card, allowing the identification of a host on a local network. Example 5E:FF:56:A2:AF:15.
Comments	Description of the selected host.

Network

Select a network in order to view or edit its properties. Each network has a name, IP address and a network mask.

Name of the object	Name given to the object during its creation. This field can be modified, and to save changes, you need to click on Apply and Save.
Comments	Description of the selected network.
IP address	IP address of the selected network. The address is followed by a "/" and the associated network mask.

IP address range

Select an IP address range in order to view or edit its properties.

Name of the object	Name given to the object during its creation. This field can be modified, and to save changes, you need to click on Apply and Save.
Start	First IP address of the range.
End	Last IP address of the range.
Comments	Description of the selected IP address range.

Port – port range

Select a port or port range in order to view or edit its properties.

Name of the object	Name of the service used. This field is grayed out and cannot be modified.
Port	Number of the port associated with the selected service.
Port range	By selecting this option, you will assign a port range to the selected service and enable the two checkboxes below it.
From	If the Port range checkbox has been selected, this field will be enabled. It corresponds to the first port included in the selected port range.
Up to	If the Port range checkbox has been selected, this field will be enabled. It corresponds to the last port included in the selected port range.
TCP/UDP	Select the IP protocol that your service uses: TCP: Transmission Control Protocol. Transport protocol operating in connected mode and made up of three phases: establishment of the connection, data transfer, end of the connection. UDP: User Datagram Protocol. This protocol allows transferring data simply between two entities, each of them having been defined by an IP address and a port number. TCP or UDP: The selected service can use any IP protocol.
Comments	Description of the selected port or port range.

IP protocol

Name of the object	Name of the selected IP protocol. This field is grayed out and cannot be modified.
Protocol number	Number associated with the selected IP protocol and provided by the IANA (Internet Assigned Numbers Authority).
Comments	Description of the selected IP protocol.

Group

In this screen, you will be able to aggregate your objects according to your network topology, for example.

Name of the object	Name given to the object group during its creation. Objects in “read only” mode will be grayed out and cannot be modified.
Comments	Description of the object group.
Edit this group	This button contains a dialog box for adding objects to the group. Two columns will appear: The left column contains the list of all the network objects that you may add to your group. The right column contains the objects that are already in the group. To add an object to the group, you need to move it from one column to the other: Select the item(s) to add. Click on this arrow. The object will move to the right column and become a part of your group (at the top of the list). To remove an object from the group, select it in the right column and click on this arrow. NOTE By clicking on the button “Edit this group”, you will be able to change the name of the group and add comments to it and also search for objects and include new objects in the group.
Objects in this group	The network objects in your group will be shown in a table. To add or modify objects, refer to the previous field.

Port group

This screen will allow you to aggregate your ports by category.

Example

A “mail” group that groups “imap”, “pop3” and “smtp” ports.

Name of the object	Name given to the port group during its creation.
Comments	Description of the port group.
Edit this group	This button contains a dialog box for adding ports to the group. By clicking on it, you will be able to change the name of the group and add comments to it and also search for ports and include new ports in the group. Two columns will appear: The left column contains the list of all the ports that you may add to your group. The right column contains the ports that are already in the group. To add a port to the group, you need to move it from one column to the other: Select the item(s) to add. Click on this arrow. The object will move to the right column and become a part of your group (at the top of the list). To remove an object from the group, select it in the right column and click on this arrow. NOTE By clicking on the button “Edit this group”, you will be able to change the name of the group and add comments to it and also search for objects and include new objects in the group.
Objects in this group	The ports in your group will be shown in a table. To add or modify objects, refer to the previous field.

Router

Router objects can be used:

As the firewall’s default gateway,

For specifying the type of routing in filter rules (PBR: Policy Based Filtering).

Router objects are defined by a name and at least a gateway used. It may contain one or several gateways used and backup gateways. A mechanism that tests the availability of these gateways allows providing a concept of redundancy – if no responses are received from one or several main gateways, one or several backup gateways will then take over.

Select a router to view or edit its properties.

Name of the object	Name given to the router object when it was created.
Comments	Description associated with the router object.

Button bar

Add	Adds a gateway.
Delete	Deletes the selected gateway.
Move to the list of backups/Move to the list of main gateways	Allows switching from one gateway in the main table to the backup table or vice versa.

Apply	Sends the router’s configuration.
Copy	Allows creating by duplicating a new router object that takes on the same characteristics as the edited router.
Cancel	Cancels the router’s configuration.

Tables of gateways used and backup gateways

Both of these tables contain the following columns:

Host (Mandatory)	Clicking on this column will open the objects database to allow selecting a host that makes up the router.
Device(s) for testing availability (Mandatory)	Host or host group to ping in order to determine the connectivity of the gateway. The value selected may be the gateway itself (Test the gateway directly), a host or a group of third-party hosts. The availability test may be disabled for the selected gateway by selecting the value No availability testing. $Description: C:\Documents and Settings\admin\My Documents\My Doc-To-Help Projects\Clipperton v1\Media\info.png$ NOTE If the value No availability testing has been selected for all gateways, the function enabling a switchover to backup gateways will then be disabled.
Weight	Allows assigning a priority between the various gateways for the load balancing mechanism. A gateway with a higher weight will therefore be used more often when balancing traffic load.
(Optional) Comments	Any text.

NOTE

Parameters that define the interval between two availability tests (“frequency”), the maximum waiting time for a response (“wait”) and the number of tests to perform before declaring the gateway uncontactable (“tries”) can only be configured via CLI command:
CONFIG OBJECT ROUTER NEW name=<router name> [tries=<int>] [wait=<seconds>] [frequency=<seconds>] update=1.
The default values suggested are 15 seconds for the “frequency” parameter, 2 seconds for the “wait” parameter and 3 for the "tries" parameter.

Advanced properties

Load balancing	The firewall allows distributed routing between the various gateways used through several methods: No load balancing: only the first gateway defined in the "Used gateways" and "Backup gateways" will be used for routing. By connection: all gateways defined in the "Used gateways" will be used. The load balancing algorithm is based on the source (source IP address, source port) and the destination (destination IP address, destination port) of the traffic. The rate at which the various gateways are used will be related to their respective weights. By source IP address: all gateways defined in the "Used gateways" will be used. An algorithm allows balancing routing based on the source of the routed traffic. The rate at which the various gateways are used will be related to their respective weights.
Enable backup gateways	When all gateways cannot be reached: the backup gateway(s) will only be enabled when all the gateways used cannot be contacted. When at least one gateway cannot be reached: the backup gateway(s) will be enabled as soon as a gateway used cannot be contacted. This option is grayed out when a single gateway is entered in the table of gateways used. When the number of gateways that can be reached is lower than: the backup gateway(s) will be enabled as soon as the number of contactable gateways used falls below the number indicated. This option is grayed out when a single gateway is entered in the table of gateways used.
Enable all backup gateways when unavailable	If this option is selected, all backup gateways will be enabled as soon as the condition for enabling them has been met. If it is not selected, only the first backup gateway listed will be enabled.
If no gateways are available	Select the behavior that the firewall must adopt if all the gateways defined in the router object cannot be contacted: Default route: the routes (static or dynamic) defined in the firewall’s routing table will be applied. Do not route: the firewall will not manage packets passing through.

Region group

In this screen, you will be able to aggregate countries or continents in a single group.

Name of the object	Name given to the group of regions during its creation.
Comments	Description of the region group.
Edit this group	This button contains a dialog box for adding countries or continents to the group. By clicking on it, you will be able to change the name of the group and add comments to it and also search for ports and include new countries or continents in the group. Two columns will appear: The left column contains the list of all the countries or continents that you may add to your group. The right column contains the countries or continents that are already in the group. To add a country or continent to the group, you need to move it from one column to the other: Select the item(s) to add. Click on this arrow. The object will move to the right column and become a part of your group (at the top of the list). To remove an object from the group, select it in the right column and click on this arrow. NOTE By clicking on the button “Edit this group”, you will be able to change the name of the group and add comments to it and also search for objects and include new objects in the group.
Objects in this group	The countries or continents in your group will be shown in a table. To add or modify objects, refer to the previous field.

DNS name (FQDN)

DNS name objects are dynamic objects that represent DNS (FQDN) names that can be resolved on several IP addresses. These objects can either be defined in IPv4 or IPv6 and can only be used as the source or destination of a filter rule. They cannot be included in groups.

Select a DNS name to view or edit its properties.

Name of the object	Name given to the object during its creation. This field can be modified, and to save changes, you need to click on Apply and Save.
IP Address	IP address of the selected object.
Comments	Description of the selected DNS name.

Time object

Name of the object

Name given to the port group during its creation.

Comments

Description of the port group.

Description

This dynamic field will be entered automatically based on the parameters selected for the definition of the time object.

Example:

For an ad hoc event: from <date> at <time> to <date> at <time>

Fixed event

This field allows defining “From” when the event takes place and until when it will continue. A day has to be defined from the calendar presented.

You will also need to define a time by entering the empty “to” field.

Day of the year

By default, this field indicates the date 01: 01. You can click on Add a date range and enter a start date and an end date for your event, by selecting the month and the day.

Day(s) of the week

The days affected by the event are marked with this icon . If you wish to remove a day, click once on it. If you wish to apply an additional day, such as a Saturday, for example, click once on the checkbox “Sat”. It will then be marked by the same icon described above and your event will affect this day.

Time slots

You can define time slots using these buttons:

Add a time slot, to add a time slot and to define the start and end time of your event.

To delete it.

New information regarding the time slot(s) will appear in the field Description.