What is a Network Object? Like Rule Objects, a Network Object is vital tool in the creation of Firewall Rules on Sonar. The serve as the Source and Destination of where traffic comes from and where it goes. They are located in Sonar under Network -> Objects in the "Network Objects" tab.
When looking in Network Objects and clicking "Add New", this will bring up a new window in which you can enter in the specific details for that particular Network Object.
- Name - Fairly self-explanatory. What you want to name your network object. Its generally best to follow a particular naming scheme to keep things in order. For example, if you're adding in a mail server, place in "SVR-Mail" as the name
- Type - By default, "Host" is selected. You can choose from other options depending on the IP or IP's you want to enter. See Below for more detailed explanation.
- Real IP - This is where you place the IP of the network object. For Example, if your server's IP is 192.168.1.3, place that IP into the field.
- Outbound NAT Properties - When you want to do Network Address Translation for outbound-going traffic. See below for a more detailed explanation
- Inbound NAT Properties - When you want to do Network Address Translation for inbound-coming traffic See below for a more detailed explanation.
WHICH NETWORK OBJECT SHOULD I USE?
As mentioned above, there are several "Types" to choose from when creating a Network Object. They are "Host", "Net", "Range" and "Any". In 99% of circumstances, you will never have to touch the "Any" option, as Sonar comes with a default "Any" Network Object.
- Host - This option is available to you if you want to create a network object that will only represent a single IP. Use this when creating objects for individual servers or single devices.
- Net - This option is available to you if you want to create a network object that represents a certain subnet. For example, your entire network subnet of 10.0.0.0/8. You would place "10.0.0.0" in the Real IP filed, and "8" in the Mask field (without quotations)
- Range - This is available to you if you want to create a network object that represents a range of IP's as opposed to a single host or a subnet. For Example: 192.168.1.2 to 192.168.2.10. You would place the start IP and end IP into the appropriate fields when selecting Range as your Type.
WHICH NAT PROPERTY SHOULD I USE?
The NAT Property you use is dependent on the type of Rule you want to create. If traffic is outgoing for that object, you would use an out, you would use an Outbound NAT, if not, Inbound is used for incoming traffic to that network object.
- None - When you do not require an outbound NAT property to be set on a particular Object. Used for Internal Firewall Rules.
- PAT - (Port Address Translation) - PAT is automatic translation out to the internet. It's when you do not care how translation is done. This is more commonly used.
- SNAT - (Source Network Address Translation) - SNAT is used when you want to specify a particular address you want traffic to be seen as on the internet. A great example is Mail Servers. A Mail Server must be seen out on the internet as the same IP as it's MX Record. For this, we use a SNAT to ensure that the Mail Server uses the correct Public IP when publishing to the internet.
- None - When you do not require an Inbound NAT property to be set. This is usually the default for most objects.
- DNAT - (Destination Network Address Translation) - Similar to SNAT in some ways, except you're specifying the Public Address you want outside traffic to come in on, to be port forwarded to your internal server.