Knowledge Search


×
 

[ScreenOS] Features and constraints of Address Book entries

  [KB25843] Show Article Properties


Summary:

This article provides information about the features and constraints of Address Book entries in ScreenOS.

Solution:

ScreenOS classifies the addresses of all other devices by location and net mask/wildcard mask. Each zone possesses its own list of addresses and address groups. IPv4 subnets have an IP address and a net mask/ wildcard mask (for example, 255.255.255.0 or 255.0.255.0) and are displayed as multiple computer icons in the IP address list. IPv6 subnets have an IP address and a prefix length (for example, /64) and are displayed as multiple computer icons in the IP address list.
 

Features and constraints of Address List:

  • Name: Indicates the name of the IP address.

  • IP/Domain Name: Indicates the IP address or domain name of the network device.

  • Zone: If you are viewing all zones, this field indicates the zone to which the address belongs.

  • Comment: You can add a comment for the address book entry. This field is optional.

  • Configure: Click Edit to modify the IP address entry or Remove to delete it.

Note: You cannot remove an IP address, if it is being used by a policy; you must first remove the IP address from the policy.



Configuring the Address List:

Via the WebUI:

Go to Policy > Policy Elements > Addresses > List.

Via the CLI:

set address <zone name> <Address List name> <IP address/Domain Name> <Address Comment String>

Assume that you are configuring the test address book entry in the Trust zone:

set address "Trust" "test" 3.3.3.3/24 <MY LAN>

As you add addresses to the address book, it becomes difficult to manage how policies affect each address entry. To facilitate management tasks, you can create groups of addresses. Rather than manage a large number of address book entries, you can manage a small number of groups. Changes that are made to the group are applicable to each address entry in the group.



Features and constraints of Address Group:
  • You can create address groups in any zone.

  • You can create address groups with existing users or create empty address groups and then add users to them.

  • An address group entry can be used like an individual address book entry.

  • The security device applies access policies to each member of the group by internally creating individual policies for each group member. When you have to create only one access policy for a group, ScreenOS actually creates an internal policy for each member in the group (as well as for each service configured for each user).

  • When an individual address book entry is deleted from the address book, it is also removed from all groups, in which it was referenced.

  • Address groups can contain only addresses that belong to the same zone.

  • Address names cannot be the same as group names. If Paris is used for an individual address entry, it cannot be used for a group name.

  • If an address group is referenced in an access policy, the group cannot be removed. However, It can be edited.

  • When a single access policy is assigned to an address group, it is individually applied to each group member and the security device makes an entry for each member in the access control list (ACL). If you are not vigilant, it is possible to exceed the number of available access policy resources; especially if both the source and destination are address groups.

  • You cannot add the Any, All Virtual IPs, and Dial-Up VPN pre-defined addresses to groups.
 

To configure an Address Group:

Via the WebUI:

Go to Policy > Policy Elements > Addresses > Groups.

Via the CLI:

set group address <zone name> <Address Group name> add <Address List name>



To modify and remove Address Book Entries:

Remember that the address name must be unique. When an address is defined and referenced by a policy, you can change the address name; but not its zone. For example, from Trust to Untrust. To change its zone, you must first modify the underlying policy. You cannot remove an IP address, if it is being used by a policy; you must first remove the IP address from the policy

For example, consider the test address book entry, which is added to the LAN address book group:

set address "Trust" "test" 3.3.3.3/24
set group address "Trust" "LAN" add "test"

The zone of the address book entry can still be edited. When the zone is changed, the test entry will be automatically removed from the LAN address group. You can do this by using the following commands:

unset address "Trust" "test"
set address "Untrust" "test" 3.3.3.3/24

But, when the LAN group is used in any of the configured policies, you cannot change the zone for the address book entry and remove the address book entry or address group. You can still remove or add entries from the group; even though it is being used in a policy.

So, to edit the zone for a particular entry, it has to be removed from the group:



If the address book entry is selected as global, then it has to be added to an address group to use it in a policy, as manually configured address book entries of global zone cannot be used.

Now, if a global address group is created and it is selected in a policy, the zone for the address book entries can still be edited; unlike for other zones. This means that the zone for a global address book entry can be changed; even if the address group is in use in a policy.

The main purpose of global zone and global address book entries is to address global entities, such as MIP and VIP. So, even if you manage to add a valid IPv4 or IPv6 address to the global zone, this global address book entry cannot be selected at the policy level. When configuring Global group entries, you will not be allowed to add a combination of MIP/VIP and normal IPv4/IPv6 addresses.

Note: If these global address book entries are added to a global group, you will be able to select the entire global group in the policy under any valid zone. However, if your global group does not contain a valid global entity, then the policy will not be able to match the desired traffic.

Additionally, when configuring the policy, a global address book entry or group can be selected under any zone. Do not try to create a Global group that comprises of global address book entries for IP's other than MIP and VIP.

To view the number of used and remaining address book entries:

Via the CLI:
get address
get sys-cfg | i address > This provides the maximum number of address entries that can be configured.
Via the WebUI:

Go to Policy > Policy Elements > Addresses > Summary.

Modification History:
2019-05-30: Minor, non-technical update.
Related Links: