SonicWALL TZ 190 Manuale Utente
Network > Address Objects
213
SonicOS Enhanced 4.0 Administrator Guide
SonicOS Enhanced 3.5 redefined the operation of MAC AOs, and introduces Fully Qualified
Domain Name (FQDN) AOs:
Domain Name (FQDN) AOs:
•
MAC – SonicOS Enhanced 3.5. and higher will resolve MAC AOs to an IP address by
referring to the ARP cache on the SonicWALL.
referring to the ARP cache on the SonicWALL.
•
FQDN – Fully Qualified Domain Names, such as ‘www.reallybadwebsite.com’, will be
resolved to their IP address (or IP addresses) using the DNS server configured on the
SonicWALL. Wildcard entries are supported through the gleaning of responses to queries
sent to the sanctioned DNS servers.
resolved to their IP address (or IP addresses) using the DNS server configured on the
SonicWALL. Wildcard entries are supported through the gleaning of responses to queries
sent to the sanctioned DNS servers.
While more effort is involved in creating an Address Object than in simply entering an IP
address, AOs were implemented to complement the management scheme of SonicOS
Enhanced, providing the following characteristics:
address, AOs were implemented to complement the management scheme of SonicOS
Enhanced, providing the following characteristics:
•
Zone Association – When defined, Host, MAC, and FQDN AOs require an explicit Zone
designation. In most areas of the interface (such as Access Rules) this is only used
referentially. The functional application are the contextually accurate populations of
Address Object drop-down lists, and the area of “VPN Access” definitions assigned to
Users and Groups; when AOs are used to define VPN Access, the Access Rule auto-
creation process refers to the AO’s Zone to determine the correct intersection of VPN
designation. In most areas of the interface (such as Access Rules) this is only used
referentially. The functional application are the contextually accurate populations of
Address Object drop-down lists, and the area of “VPN Access” definitions assigned to
Users and Groups; when AOs are used to define VPN Access, the Access Rule auto-
creation process refers to the AO’s Zone to determine the correct intersection of VPN
[Zone] for rule placement. In other words, if the “192.168.168.200 Host” Host AO, belonging
to the LAN Zone was added to “VPN Access” for the “Trusted Users” User Group, the auto-
created Access Rule would be assigned to the VPN
to the LAN Zone was added to “VPN Access” for the “Trusted Users” User Group, the auto-
created Access Rule would be assigned to the VPN
LAN Zone.
•
Management and Handling – The versatilely typed family of Address Objects can be easily
used throughout the SonicOS Enhanced interface, allowing for handles (e.g. from Access
Rules) to be quickly defined and managed. The ability to simply add or remove members
from Address Object Groups effectively enables modifications of referencing rules and
policies without requiring direct manipulation.
used throughout the SonicOS Enhanced interface, allowing for handles (e.g. from Access
Rules) to be quickly defined and managed. The ability to simply add or remove members
from Address Object Groups effectively enables modifications of referencing rules and
policies without requiring direct manipulation.
•
Reusability – Objects only need to be defined once, and can then be easily referenced as
many times as needed.
many times as needed.
Key Features of Dynamic Address Objects
The term Dynamic Address Object (DAO) describes the underlying framework enabling MAC
and FQDN AOs. By transforming AOs from static to dynamic structures Firewall > Access
Rules can automatically respond to changes in the network.
and FQDN AOs. By transforming AOs from static to dynamic structures Firewall > Access
Rules can automatically respond to changes in the network.
Note
The initial SonicOS Enhanced 4.0 release will only support Dynamic Address Objects within
Access Rules. Future versions of SonicOS Enhanced might introduce DAO support to other
subsystem, such as NAT, VPN, etc.
Access Rules. Future versions of SonicOS Enhanced might introduce DAO support to other
subsystem, such as NAT, VPN, etc.