Network Definitions

The Definitions & Users > Network Definitions > Network Definitions tab is the central place for defining hosts, networks, and network groups on Sophos UTM. The definitions created here can be used on many other WebAdmin configuration menus.

Opening the tab, by default, all network definitions are displayed. Using the drop-down list on top of the list, you can choose to display network definitions with certain properties.

Tip – When you click on the Info icon of a network definition in the Network Definitions list, you can see all configuration options in which the network definition is used.

The network table also contains static networks, which were automatically created by the system and which can neither be edited nor deleted:

• Internal (Address): A definition of this type will be added for each network interface. It contains the current IPInternet Protocol address of the interface. Its name consists of the interface name with "(Address)" appended to it.
• Internal (Broadcast): A definition of this type will be added for each Ethernet-type network interface. It contains the current IPv4 broadcast address of the interface. Its name consists of the interface name with "(Broadcast)" appended to it.
• Internal (Network): A definition of this type will be added for each Ethernet-type network interface. It contains the current IPv4 network of the interface. Its name consists of the interface name with "(Network)" appended to it.
• Any (IPv4/IPv6): A network definition (for IPv4 and IPv6 each, if IPv6 is enabled) bound to the interface which serves as default gateway. Making use of it in your configuration should make the configuration process easier. With uplink balancing enabled, the definition Internet is bound to Uplink Interfaces.

Note – IPv6 entries are only visible if it is activated in Interfaces & Routing > IPv6.

Note – User network objects authenticated via client authentication will always be shown as unresolved due to performance reasons.

To create a network definition, proceed as follows:

1. On the Network Definitions tab, click New Network Definition.

   The Add Network Definition dialog box opens.

2. Make the following settings:

   (Note that further parameters of the network definition will be displayed depending on the selected definition type.)

   Name: Enter a descriptive name for this definition.

   Type: Select the network definition type. The following types are available:

   • Host: A single IP address. Provide the following information:

     • IPv4 address/IPv6 address: The IP address of the host (note that you cannot enter the IP address of a configured interface).

     • DHCP Settings (optional): In this section you can create static mappings between hosts and IP address. For that purpose, you need a configured DHCPDynamic Host Configuration Protocol server (see Network Services > DHCP > Servers).

       Note – To avoid an IP address clash between regularly assigned addresses from the DHCP pool and those statically mapped make sure that the latter are not in the scope of the DHCP pool. For example, a static mapping of 192.168.0.200 could result in two systems receiving the same IP address if the DHCP pool is 192.168.0.100 – 192.168.0.210.

       IPv4 DHCP: Select the IPv4 DHCP server to be used for static mapping.

       MAC addresses: Enter the MACMedia Access Control addresses of the hosts' network interface cards. The MAC addresses are usually specified in a format consisting of six groups of two hexadecimal digits, separated by colons or hyphens (e.g., 00:04:76:16:EA:62).

       Note – The MAC address range 00:1a:8c:f0.xx.xx is used by HA/Cluster. You cannot use this range for other purpose as MAC addresses within this range will be overwritten by the system.

       IPv6 DHCP: Select the IPv6 DHCP server to be used for static mapping.

       DHCP unique IDs: Enter the DUIDs of the hosts. With e.g. Windows operating systems, the DUID can be found in the Windows Registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters

       Please note that you have to enter the groups of two hexadecimal digits separated by colons (e.g., 00:01:00:01:13:30:65:56:00:50:56:b2:07:51).

     • DNS Settings (optional): If you do not want to set up your own DNSDomain Name Service server but need static DNS mappings for a few hosts of your network, you can enter these mappings in this section of the respective hosts. Note that this only scales for a limited number of hosts and is by no means intended as a replacement of a fully operable DNS server.

       Hostname: Enter the fully qualified domain name (FQDN) of the host.

       Reverse DNS: Select the checkbox to enable the mapping of the host's IP address to its name. Note that although several names can map to the same IP address, one IP address can only ever map to one name.

       Additional Hostnames: Click the Plus icon to add additional hostnames for the host.

   • DNS host: A DNSDomain Name Service hostname, dynamically resolved by the system to produce an IP address. DNS hosts are useful when working with dynamic IP endpoints. The system will re-resolve these definitions periodically according to the TTL (Time To Live) values and update the definition with the new IP address (if any). Provide the following information:

     • Hostname: The hostname you want to resolve.
   • DNS group: Similar to DNS host, but can cope with multiple RRs (Resource Records) in DNS for a single hostname. It is useful for defining firewall rules and exceptions in transparent proxies.

   • Network: A standard IP network, consisting of a network address and a netmask. Provide the following information:

     • IPv4 address/IPv6 address: The network address of the network (note that you cannot enter the IP address of a configured interface).
     • Netmask: The bit mask used to tell how many bits in an octet(s) identify the subnetwork, and how many bits provide room for host addresses.

   • Range: Select to define a whole IPv4 address range. Provide the following information:

     • IPv4 from: First IPv4 address of the range.
     • IPv4 to: Last IPv4 address of the range.
     • IPv6 from: First IPv6 address of the range.
     • IPv6 to: Last IPv6 address of the range.

     Network range objects cannot be used with every network configuration throughout WebAdmin. For more information on network range objects, see section Where Network Range Objects Can Be Used.

   • Multicast group: A network that comprises a defined multicast network range.

     • IPv4 address: The network address of the multicast network, which must be in the range 224.0.0.0 to 239.255.255.255.
     • Netmask: The bit mask used to tell how many bits in an octet(s) identify the subnetwork, and how many bits provide room for host addresses.
   • Network group: A container that includes a list of other network definitions. You can use them to bundle networks and hosts for better readability of your configuration. Once you have selected Network group, the Members box appears where you can add the group members.
   • Availability group: A group of hosts and/or DNS hosts sorted by priority. Alive status of all hosts is checked with ICMP pings at an interval of 60 seconds, by default. The host with the highest priority and an alive status is used in configuration. Once you have selected Availability group, the Members box appears where you can add the group members.

   Comment (optional): Add a description or other information.

3. Optionally, make the following advanced settings:

   The options displayed depend on the selected Type above.

   Interface (optional): You can bind the network definition to a certain interface, so that connections to the definition will only be established via this interface.

   Caution – Be careful with binding network definitions to particular interfaces, as this might lead to conflicts with other configurations. Data packets sent through these particular interfaces could get lost and this would be hard to detect.

   Monitoring type (only with type Availability group): Select the service protocol for the alive status checks. Select either TCP (TCPTransmission Control Protocol connection establishment), UDP (UDPUser Datagram Protocol connection establishment), Ping (ICMPInternet Control Message Protocol Ping), HTTP host (HTTPHypertext Transfer Protocol requests), or HTTPS hosts (HTTPSHypertext Transfer Protocol Secure requests) for monitoring. When using UDP a ping request will be sent initially which, if successful, is followed by a UDP packet with a payload of 0. If ping does not succeed or the ICMP port is unreachable, the host is regarded as down.

   Port (only with monitoring type TCP or UDP): Number of the port the request will be sent to.

   URL (optional, only with monitoring types HTTP host or HTTPS host): URL to be requested. You can use other ports than the default ports 80 or 443 by adding the port information to the URL, e.g., http://example.domain:8080/index.html. If no URL is entered, the root directory will be requested.

   Interval: Enter a time interval in seconds at which the hosts are checked.

   Timeout: Enter a maximum time span in seconds for the hosts to send a response. If a host does not respond during this time, it will be regarded as dead.

   Always resolved: This option is selected by default, so that if all hosts are unavailable, the group will resolve to the host which was last available. Otherwise the group will be set to unresolved if all hosts are dead.

4. Click Save.

   The new definition appears on the network definition list.

To either edit or delete a network definition, click the corresponding buttons.

Where Network Range Objects Can Be Used

Network range objects can be used in the following configurations:

• Management > System Settings > Shell Access, section Allowed Networks
• Management > WebAdmin Settings > General, section WebAdmin Access Configuration, Allowed Networks box
• Management > SNMP > Query, section SNMP Access Control, Allowed Networks box
• Interfaces & Routing > Quality of Service (QoS) > Traffic Selectors, section Add Traffic Selector, Source and Destination field
• Network Services > DNS > Global, section Allowed Networks
• Network Services > NTP, section NTP Options, Allowed Networks box
• Network Protection > Firewall > Rules, section Add Rule, Source and Destination box
• Network Protection > Firewall > Country Blocking Exceptions, section Add Exception List, Host/Networks box
• Network Protection > NAT > Masquerading, section Add Masquerading Rule, Network field
• Network Protection > NAT > NAT, section Add NAT Rule, For Traffic from and Going to field
• Network Protection > Advanced > SOCKS Proxy, section SOCKS Proxy Options, Allowed Networks box
• Web Protection > Filtering Options > Misc, section Transparent Mode Skiplist, Skip Transparent Mode Source Hosts/Nets and Skip Transparent Mode Destination Hosts/Nets box
• Web Protection > FTP > Global, section FTP Settings, Allowed Networks box
• Email Protection > SMTP > Relaying, section Host-Based Relay, Allowed Hosts/Networks box
• Email Protection > SMTP > Advanced, section Transparent Mode, Skip Transparent Mode Hosts/Nets box
• Wireless Protection > Hotspots > Advanced, section Walled Garden, Allowed Hosts/Networks box