Introduction to Objects

An object is a container of information that you can use in one or more security policies. Objects make it easy to maintain policy consistency. You can create a single object, use it different policies, modify the object, and that change is propagated to every policy that uses the object. Without objects, you would need to modify all the policies, individually, that require the same change.

When you onboard a device, Security Cloud Control recognizes all the objects used by that device, saves them, and lists them on the Objects page. From the Objects page, you can edit existing objects and create new ones to use in your security policies.

Security Cloud Control calls an object used on multiple devices a shared object and identifies them in the Objects page with this badge .

Sometimes a shared object develops some "issue" and is no longer perfectly shared across multiple policies or devices:

  • Duplicate objects are two or more objects on the same device with different names but the same values. These objects usually serve similar purposes and are used by different policies. Duplicate objects are identified by this issue icon:

  • Inconsistent objects are objects on two or more devices with the same name but different values. Sometimes users create objects in different configurations with same name and content but over time the values of these objects diverge which creates the inconsistency. Inconsistent objects are identified by this issue icon:

  • Unused objects are objects that exist in a device configuration but are not referenced by another object, an access-list, or a NAT rule. Unused objects are identified by this issue icon:

You can also create objects for immediate use in rules or policies. You can create an object that is unassociated with any rule or policy. When you use that unassociated object in a rule or policy, Security Cloud Control creates a copy of it and uses the copy.

You can view the objects managed by Security Cloud Control by navigating to the Objects menu or by viewing them in the details of a network policy.

Security Cloud Control allows you to manage network and service objects across supported devices from one location. With Security Cloud Control, you can manage objects in these ways:

  • Search for and filter all your objects based on a variety of criteria.

  • Find duplicate, unused, and inconsistent objects on your devices and consolidate, delete, or resolve those object issues.

  • Find unassociated objects and delete them if they are unused.

  • Discover shared objects that are common across devices.

  • Evaluate the impact of changes to an object on a set of policies and devices before committing the change.

  • Compare a set of objects and their relationships with different policies and devices.

  • Capture objects in use by a device after it has been on-boarded to Security Cloud Control.

If you have issues with creating, editing, or reading objects from an onboarded device, see Troubleshoot Security Cloud Control for more information.

Manage Security Policies in Security Cloud Control

Security policies examine network traffic with the ultimate goal of allowing the traffic to its intended destination or dropping it if a security threat is identified. You can use Security Cloud Control to configure security policies on many different types of devices.

Meraki Access Control Policy

Meraki MX devices may have been managed by the Meraki dashboard before you onboard to Security Cloud Control and the device may already have some outbound rules. These rules will appear as access control rules in Security Cloud Control. You can modify these rules and create additional rules within the access control policy. To customize your access control policy, create and attach objects. See the related articles at the bottom for more information.


Note

The action of the Meraki access control policy is Allow by default. You cannot change the action.

Use this procedure to edit a Meraki access control policy using Security Cloud Control:

Procedure

Step 1

In the left pane, click Manage > Security Devices.

Step 2

Click the Templates tab.

Step 3

Click the Meraki tab and select the Meraki MX device template whose access control policy you want to edit.

Step 4

In the Management pane at the right, select Policy.

Step 5

Do any of the following:

  • To create a new rule, click the blue plus button .

  • To edit an existing rule, select the rule and click the edit button in the Actions pane. (Simple edits may also be performed inline without entering edit mode.)

  • To delete a rule you no longer need, select the rule and click the remove button in the Actions pane.

  • To move a rule within the policy, select the rule in the access control table and click the up or down arrow at the end of the rule row to move the rule.

Step 6

In the Order field, select the position for the rule within the policy. Network traffic is evaluated against the list of rules in numerical order, 1 to "last."

Rules are applied on a first-match basis, so you must ensure that rules with highly specific traffic matching criteria appear above policies that have more general criteria that would otherwise apply to the matching traffic.

The default is to add the rule to the end of the list. If you want to change a rule's location later, edit this option.

Step 7

Enter the rule name. You can use alphanumeric characters, spaces, and these special characters: + . _ -

Note: The Name of the access control rule is used as the name of the rule in Security Cloud Control while the Remark field is treated as the name of the rule in the Meraki dashboard. The two fields are not dependent on each other.

Step 8

Select the action to apply if the network traffic is matched by the rule:

  • Block-Drop the traffic unconditionally. The traffic is not inspected.

  • Allow-Allow the traffic subject to the intrusion and other inspection settings in the policy.

Note

 

You can only set or modify the rule action. You cannot change the default policy action from Security Cloud Control.

Step 9

Define the traffic matching criteria by using any combination of attributes in the following tabs:

  • Source-Click the Source tab and add or remove networks (which includes networks and continents) or ports from which the network traffic originated. The default value is "Any."

  • Destination-Click the Destination tab and add or remove networks (which includes networks and continents), or ports on which the traffic arrives. The default value is "Any."

Note

 

The source and destination networks must be within one of the configured VLAN subnets or, if a VLAN subnet is not manually configured, the default VPN subnet. Deploying a rule that includes an invalid source or destination network will fail.

Step 10

Click Save.

Step 11

Review and deploy now the changes you made, or wait and deploy multiple changes at once.

What to do next

Related Articles:

Meraki Templates

The Meraki template is a network configuration that is shared by multiple sites/networks. Individual site networks can be bound to a template network, so changes to a single template will trickle down to all bound networks; in Security Cloud Control, bound networks are displayed as bound devices. This is ideal if you want one policy across multiple networks in different locations. To configure more than one network to a single template, see Managing Multiple Networks with Configuration Templates. See Meraki Templates Best Practices for more information on what a Meraki template is, how you can plan on using templates in your network, and how to setup your template network.

Meraki templates work in the same way as the Meraki devices do, where you must first configure the template through the Meraki dashboard prior to onboarding to Security Cloud Control. When you onboard a template to Security Cloud Control, any existing rules or groups of IPs are read into Security Cloud Control and translated into objects. Once synced, the Device Details pane on the Security Devices page displays the template name as well as how many networks, displayed as bound devices, are associated with it. This means you can also manage and modify/deploy the policies that are associated with the template and the bound networks from Security Cloud Control. See Onboard Meraki Templates to Firewall in Security Cloud Control for more information.