Dynamic objects

Dynamic objects enable you to group zones or interfaces from different firewalls in a group into one logical zone or interface, so you can set up rules for that logical entity in a group policy.

Some configuration, such as that related to zones and interfaces, is very firewall-specific. As a Sophos Central admin, you don’t know which zones or interfaces exist on each firewall. So, any rule you create in a group policy may not work on all the firewalls in a group.

To solve this problem, you can create a dynamic zone or a dynamic interface. These enable you to specify, for each firewall, which zone or interface to use. Then you can use the dynamic zone or dynamic interface when you create a rule, knowing that the rule will work as desired on each firewall.

Dynamic zones

To create a dynamic zone, do as follows:

  1. Go to Firewall management > Dynamic Objects.
  2. Click Zones.
  3. Click Add Dynamic Zone.
  4. Enter the dynamic zone details.
    • Zone Type:
      • LAN: This is the default, which is used most often when creating dynamic objects. Depending on the device in use and network design, you can group from one to six physical ports in this zone. Group multiple interfaces with different network subnets to manage them as a single entity. Group all the LAN networks under this zone.
        Note By default, the traffic to and from this zone is blocked, so it is the most secure zone. However, traffic between ports belonging to the same zone and traffic between LAN and Local zone services, for example Administration, Authentication and Network, will be allowed.
      • DMZ: This zone is normally used for publicly accessible servers. Depending on the device in use and network design, you can group from one to five physical ports in this zone.

      The choice of Zone Type determines which options are listed in the Zones available box (see below).

  5. Enter the device zone mappings for all firewalls.
    • Firewalls: The firewall whose zone is to be mapped to the dynamic zone. The mapping for Default (Any firewall) is applied to any firewall you do not specify a mapping for, for example a firewall added later. However, the mapping must be a zone that exists on each firewall.
    • Zones available: The firewall zone to be mapped.
  6. Click Save.

The dynamic zone is added to the dynamic objects table and can now be used in all other configurations where a zone can be configured, for example in Rules and policies. To see where a dynamic zone is used, click Usage References to show the group, policy, and part of the policy that use the dynamic zone.

To edit or delete a dynamic zone, click its name in the dynamic objects table.

Dynamic interfaces

To create a dynamic interface, do as follows:

  1. Go to Firewall management > Dynamic Objects.
  2. Click Interfaces.
  3. Click Add Dynamic Interface.
  4. Enter the dynamic interface details.
    • IP Address Family: The address family that corresponds to that used by the interfaces on the firewalls. The choice of IP Address Family determines which options are listed in the Interfaces available box (see below).
    • Interface Type: The choice of Interface Type determines which options are listed in the Interfaces available box (see below).
  5. Enter the device interface mappings for all firewalls.
    • Firewalls: The firewall whose interface is to be mapped to the dynamic interface. The mapping for Default (Any firewall) is applied to any firewall you do not specify a mapping for, for example a firewall added later. However, the mapping must be an interface that exists on each firewall.
    • Interfaces available: The firewall interface to be mapped.
  6. Click Save.

The dynamic interface is added to the dynamic objects table and can now be used in all other configurations where an interface can be configured, for example in Rules and policies. To see where a dynamic interface is used, click Usage References to show the group, policy, and part of the policy that use the dynamic interface.

To edit or delete a dynamic interface, click its name in the dynamic objects table.