• SonicOSX 7
• Introduction to Match Objects for SonicOSX
• Zones
• Addresses
• Services
• Countries
• Applications
• Web Categories
• Websites
• URI Lists
• Match Patterns
• Custom Match
• Schedules
• Dynamic Group
• Email Addresses
• SonicWall Support
  • About This Document

Dynamic Group

Dynamic Groups are comprised of Dynamic External Address Groups (DEAG) and Dynamic External Address Objects (DEAO). A Dynamic External Address Group is an Address Group whose members are dynamic. Dynamic External Address Objects are intermediate, internal objects that are dynamically created and placed under a Dynamic External Address Group when a Dynamic External Address Group file is downloaded. The Dynamic External Objects feature eliminates the need for manually modifying an Address Group to add or remove members.

Popup tooltips appear when you move your mouse over many of the fields in a DEAG entry. Multiple Dynamic External Address Groups can be configured and you can use these DEAGs in access rules or policies. For example, if you want to maintain a group for all partner IP addresses on which certain access rules are enforced, you can create a Dynamic External Address Group / Dynamic External Object.

The creation of a Dynamic External Object consists of two parts:

• Creation of the Dynamic External Address Group file on an FTP server or on a web page at a specific URL
• Configuration of the Dynamic External Address Group on the Object > Dynamic Group page in SonicOS including downloading and using the information in the DEAG file.

About the Dynamic External Address Group File

The Dynamic External Address Group file (DEAG file) contains a list of IP addresses or Fully Qualified Domain Names (FQDNs) that define the DEAOs which are members of the DEAG. The DEAG file resides externally, on a server for FTP access or on a web page at a specific URL for HTTPS access. The list of IP addresses or FQDNs can be modified at the external location and the associated DEAOs and DEAG in SonicOS are dynamically updated with those changes, if configured to periodically download the file.

The DEAG file can contain a text list of either IP addresses or FQDNs formatted as follows:

• A list of IP addresses, one per line. It can include subnets specified in CIDR format.
• A list of FQDNs, one per line. An FQDN is a character string such as www.example.com. It cannot contain any wildcard (*) characters.

• A mixed list of FQDNs and IP addresses/subnets, one per line. This is only supported for FQDN type DEAGs. A non-FQDN type DEAG will not accept FQDNs in the DEAG file.

  However, it is not recommended to mix and match IP addresses and FQDNs in the DEAG file, because the IP addresses in this list will also be treated as FQDNs and SonicOS will attempt to resolve them. A better way to mix these input types is to create individual DEAGs of FQDN type and non-FQDN type and then add both DEAGs to a separate address group for use in access rules.

For every DEAG, a DEAO with the IP address 0.0.0.0 is automatically created. For example, if there is only one DEAG, the maximum number of IP addresses in the DEAG file is one less than the maximum number of DEAOs allowed, as defined in DEAG and DEAO Maximums.

DEAG and DEAO Maximums

Maximum DEAGs:

• The maximum number of DEAGs, including both IP address and FQDN types, is 25% of the total number of address groups supported by the device.

• The maximum number of DEAGs that can be created cannot exceed the number of address groups remaining before exceeding the total number supported on the firewall.

  For example, if a device supports 1024 Address Groups and you are using only 20 Address Groups, then 256 DEAGs (25% of 1024) can be created. However, if you have already manually created 1000 Address Groups, then only 24 DEAGs can be created.

Maximum DEAOs:

• The maximum number of IP address type DEAOs is 25% of the total number of address objects supported by the device.
• The maximum number of FQDN type DEAOs is 50% of the total number of address objects supported by the device.
• The maximum number of DEAOs that can be created cannot exceed the number of address objects remaining before exceeding the total number supported on the firewall.

High Availability Requirements

When deployed as a High Availability pair, both the active and standby firewalls must have a connection to the server or URL to download the file that contains the list of IP addresses or FQDNs. This requires configuring the monitoring IP address on the standby unit.

Adding a Dynamic External Object

To add a Dynamic External Object

1. Navigate to Objects > Match Objects > Dynamic Group page.

2. Click the Add button. The Add Dynamic External Object dialog displays.

   

3. Enter a unique, descriptive name for the dynamic external address group in the Name field. “DEAG_” is automatically prepended to the name when saved.

4. The Type field is set to Address Group, with no other options.

5. In the Zone Assignment drop-down list, select the zone for the Dynamic External Address Group.

6. Select the Enable Periodic Download option for ongoing, periodic downloads of the Dynamic Address Group File.

7. If Enable Periodic Download is enabled, select the number of minutes or hours between downloads in the Download interval field. You can select one of:

   • 5 minutes
   • 15 minutes
   • 1 hour
   • 24 hours

8. Select the type of protocol to use for downloading the DEAG file from the Protocol drop-down list. The choices are FTP or HTTPS. The remaining fields in the dialog are different for FTP and HTTPS.

9. If you selected FTP as the protocol, specify the following:

   • Server IP Address – the IP address of the FTP server where the DEAG file resides

     Refer to About the Dynamic External Address Group File for information about the DEAG file.

   • Login ID – the user name for logging into the FTP server

   • Password – the password for logging into the FTP server

   • Directory Path – the folder in which the DEAG file resides on the FTP server

   • File Name – the name of the DEAG file on the FTP server

10. If you selected HTTPS as the protocol, specify the following:

    • URL Name – the URL which has the list of IP addresses or FQDNs

      

      The URL Name should start with https:// and follow with the page name. This page contains the list of IP addresses or FQDNs.

11. Click Save.

Based on the configuration, the firewall reads the list of IP addresses or FQDNs from the file or URL. Then SonicOS automatically creates the following:

• Address group with the name provided in the Add Dynamic External Object dialog. This address group is read-only, meaning that you cannot edit or delete it.
• Address objects for every valid unique IP address or FQDN in the file. These address objects are also read-only.

The individual address objects are then added to the Dynamic External Address Group / Dynamic External Object. You can use this in access rules and policies.

Editing Dynamic External Objects

Mouse over on the Dynamic External Object which you want to edit and click Edit icon. The Configuration settings are same as the Add Dynamic External Object dialog.

You cannot change the Name of the DEAG or the Zone Assignment when editing the Dynamic External Object.

Deleting Dynamic External Objects

To delete Dynamic External Objects

1. Navigate to Objects > Match Objects > Dynamic Group page.

2. Do one of the following:

   • Mouse over on the Dynamic External Object which you want to delete and click Delete icon.
   • Click the checkbox for one or more objects to be deleted and click Delete at top of the page.

If a Dynamic External Address Group is in use, such as when an access rule is using it, the deletion attempt will fail.