Address Objects
SunScreen identifies network elements--networks, subnetworks, and individual hosts--by mapping a named address object to one or more IP addresses. Address objects are used to define the network elements that make up the policy. These address objects are then used in defining the network interfaces and as the source and destination addresses for Policy rules and for NAT. An address object can represent a single computer or a whole network. You can gather address objects representing individual and network addresses together to form address groups. You may define address objects that specifically include or exclude other address objects (single IP hosts, ranges of contiguous IP addresses, or groups of discontiguous IP addresses). Some addresses are already defined.
Each rule must have a source address and a destination address.
An individual host is identified by linking its unique IP address to an address object, which can use the name or IP address of the host or some other identifier.
Note -
Do not change the admin address (le0, qe0, hme0, and the like), the admin certificate, the local certificate, or the admin-group certificate. If you change these items, you risk losing your connectivity from the Administration Station to the Screen. Reestablishing your connectivity is difficult and requires that you log into the Screen directly or use an Administration Station that is still working. It also requires exchanging encryption information.
To Add a Host Address
-
Click New Host... from the Add New choice list.
The Address dialog window appears.
Figure 3-3 Host Address Dialog Window
-
Type the name for this new address in the Name field, for example:
NewAddr
-
(Optional) Type a description in the Description field.
The description appears in the Address Details field that is displayed when you choose an address or address group for a rule using the Rule Definition dialog window.
-
(Optional) Select a Screen from the Screen choice list.
-
Type the IP address in the IP Address/Host Name field, for example:
100.100.20.10
-
Click the OK button.
To Add a Range of Addresses
An address range is a set of numerically contiguous IP addresses. Networks and subnetworks are typically identified by an IP address range name. You use the beginning and ending addresses to identify an IP address range. You can set up an address object to represent an address range.
-
Select Address in the Type choice list.
-
Click New Range... from the Add New choice list.
The Address dialog window appears.
Figure 3-4 Address Range Dialog Window
-
Type the name for this new address range in the Name field, for example:
AddrRange
-
(Optional) Type a description in the Description field.
The description appears in the Address Details field that is displayed when you choose an address or address group for a rule using the Rule Definition dialog window.
-
(Optional) Select All from the Screen choice list.
-
Type the Starting IP address in the Starting IP Address field, for example:
100.100.20.10
-
Type the Ending IP address in Ending IP Address field, for example:
100.100.20.90
-
Click the OK button.
To Add a Group of Addresses
-
Click New Group... from the Add New choice list.
The Address dialog window appears.
Figure 3-5 Address Group Dialog Window
-
Type the name for this new address group in the Name field, for example:
GroupName
-
(Optional) Type a description in the Description field.
The description appears in the Address Details field that is displayed when you choose an address or address group for a rule using the Rule Definition dialog window.
-
Highlight the address in the Address list.
-
Click the top Add button to move to the Include list, or the bottom Add button to move to the Exclude list.
Use the corresponding Remove button to remove addresses from the lists.
-
Continue to build the intended address group by adding to the Include lists.
-
Click the OK button.
- © 2010, Oracle Corporation and/or its affiliates