1. Click Filter By Device.

2. Search all the devices or click a device tab to search for only devices of a certain kind.

3. Check the device you want to include in your filter criteria.

4. Click OK.

• Default Values: Filters objects having only the default values.

• Override Values: Filters objects having overridden values.

• Additional Values: Filters objects having additional values.

• Select eq and then enter a single IP address, a subnet address using CIDR notation, or a Partially Qualified Domain Name (PQDN).

• Select range and then enter a range of IP addresses. Enter the range with the beginning and ending address in the range separated by a space. For example, 10.1.1.1 10.1.1.255 or 2001:DB8:1::1 2001:DB8:1::3

• Click Add as New Object With This Name to create a new object with that name. Enter a value and click the check mark to save it.

• Click Add as New Object to create a new object. The object name and value are the same. Enter a name and click the check mark to save it.

• Click Add Value to create an inline value without using an object. Enter a value and click the check mark to save it.

It is possible to create a new object even though the value is already present. You can make changes to those objects and save them.

1. Click the edit icon appearing beside the object name or network group to modify them.

2. Click the checkmark to save your changes.

1. In the Values field, enter a new value or the name of an existing network object. When you start typing, Security Cloud Control provides object names or values that match your entry. You can choose one of the existing objects shown or create a new one based on the name or value that you have entered.

2. If Security Cloud Control finds a match, to choose an existing object, click Add to add the network object, or network group to the new network group.

3. If you have entered a value or object that is not present, you can perform one of the following:

   • Click Add as New Object With This Name to create a new object with that name. Enter a value and click the checkmark to save it.

   • Click Add as New Object to create a new object. The object name and value are the same. Enter a name and click the checkmark to save it.

   • Click Add Value to create an inline value without using an object. Enter a value and click the checkmark to save it.

It is possible to create a new object even though the value is already present. You can make changes to those objects and save them.

• The Devices field shows the devices that the shared network group is present.

• The Usage field shows the rulesets associated with the shared network group.

• The Default Values field specifies the default network objects and their values associated with the shared network group that was provided during their creation. Next to this field, you can see the number of devices that contain this default value, and you can click to see their names and device types. You can also see the rulesets associated with this value.

• Click Add as New Object With This Name to create a new object with that name. Enter a value and click the checkmark to save it.

• Click Add as New Object to create a new object. The object name and value are the same. Enter a name and click the checkmark to save it.

• Click Add Value to create an inline value without using an object. Enter a value and click the checkmark to save it.

It is possible to create a new object even though the value is already present. You can make changes to those objects and save them.

• Click the edit icon to modify the value.

• Click the cell in the Devices column to assign new devices. You can select an already assigned device and click Remove Overrides to remove overrides on that device.

• Click arrow in Default Values to push and make it an additional value of the shared network group. All devices associated with the shared network group are automatically assigned to it.

• Click arrow in Override Values to push and make it as default objects of the shared network group.

• Click the delete icon next to remove the object from the network group.

• Select eq and enter a single IP address, a subnet address expressed in CIDR notation, or a Partially Qualified Domain Name (PQDN).

• Select range and enter an IP address range.

Attention: The newly created network objects aren't associated with any FDM-managed device as they aren't part of any rule or policy. To see these objects, select the Unassociated objects category in object filters. For more information, see Object Filters. Once you use the unassociated objects in a device's rule or policy, such objects are associated with that device.

• Click Add as New Object With This Name to create a new object with that name. Enter a value and click the checkmark to save it.

• Click Add as New Object to create a new object. The object name and value are the same. Enter a name and click the checkmark to save it.

It is possible to create a new object even though the value is already present. You can make changes to those objects and save them.

Note: You can click the edit icon to modify the details. Clicking the delete button doesn't delete the object itself; instead, it removes it from the network group.

1. Click the edit icon appearing beside the object name or network group to modify them.

2. Click the checkmark to save your changes. Note: You can click the remove icon to delete the value from a network group.

1. In the Values field, enter a new value or the name of an existing network object. When you start typing, Security Cloud Control provides object names or values that match your entry. You can choose one of the existing objects shown or create a new one based on the name or value that you have entered.

2. If Security Cloud Control finds a match, to choose an existing object, click Add to add the network object or network group to the new network group.

3. If you have entered a value or object that is not present, you can perform one of the following:

   • Click Add as New Object With This Name to create a new object with that name. Enter a value and click the checkmark to save it.

   • Click Add as New Object to create a new object. The object name and value are the same. Enter a name and click the checkmark to save it.

It's is possible to create a new object even though the value is already present. You can make changes to those objects and save them.

• Click the edit icon to modify the value.

• Click on the cell in the Devices column in Override Values to assign new devices. You can select an already assigned device and click Remove Overrides to remove overrides on that device.

• Click arrow in Override Values to push and make it as the default value of the shared object.

• Click the delete icon next to the override you want to remove.

• The Devices field shows the devices the shared network group is present.

• The Usage field shows the rulesets associated with the shared network group.

• The Default Values field specifies the default network objects and their values associated with the shared network group that was provided during their creation. Next to this field, you can see the number of devices that contain this default value, and you can click to see their names and device types. You can also see the rulesets associated with this value.

• Click Add as New Object With This Name to create a new object with that name. Enter a value and click the checkmark to save it.

• Click Add as New Object to create a new object. The object name and value are the same. Enter a name and click the checkmark to save it.

It is possible to create a new object even though the value is already present. You can make changes to those objects and save them.

• Click the edit icon to modify the value.

• Click the cell in the Devices column to assign new devices. You can select an already assigned device and click Remove Overrides to remove overrides on that device.

• Click arrow in Default Values to push and make it an additional value of the shared network group. All devices associated with the shared network group are automatically assigned to it.

• Click arrow in Override Values to push and make it as default objects of the shared network group.

• Click the delete icon next to remove the object from the network group.

The initial list shows applications in a continually scrolling list. Click Advanced Filter to see the filter options and to get an easier view for selecting applications. Click Add when you have made your selections. You can repeat the process to add additional applications or filters.

Risks: The likelihood that the application is used for purposes that might be against your organization's security policy, from very low to very high.

Business Relevance: The likelihood that the application is used within the context of your organization's business operations, as opposed to recreationally, from very low to very high.

Types: The type of application.

• Application Protocol: Application protocols such as HTTP and SSH, which represent communications between hosts.

• Client Protocol: Clients such as web browsers and email clients, which represent software running on the host.

• Web Application: Web applications such as MPEG video and Facebook, which represent the content or requested URL for HTTP traffic.

Categories: A general classification for the application that describes its most essential function.

Tags: Additional information about the application, similar to category.

For encrypted traffic, the system can identify and filter traffic using only the applications tagged SSL Protocol. Applications without this tag can only be detected in unencrypted or decrypted traffic. Also, the system assigns the decrypted traffic tag to applications that the system can detect in decrypted traffic only, not encrypted or unencrypted.

Applications List (bottom of the display): This list updates as you select filters from the options above the list, so you can see the applications that currently match the filter. Use this list to verify that your filter is targeting the desired applications when you intend to add filter criteria to the rule. To add a specific application or applications to your object, select them from the filtered list. Once you select the applications, the filter will no longer apply. If you want the filter itself to be the object, do not select an application from the list. Then the object will represent every application identified by the filter.

• Create the certificate object in the Objects page:

  1. In the left pane, click Manage > Objects.

  2. Click > FTD > Certificate.

• Click Create New Object when adding a new certificate object to a policy.

The certificate must adhere to these guidelines:

• The name of the server in the certificate must match the server Hostname / IP Address. For example, if you use 10.10.10.250 as the IP address but ad.example.com in the certificate, the connection fails.

• The certificate must be an X509 certificate in PEM or DER format.

• The certificate you paste must include the BEGIN CERTIFICATE and END CERTIFICATE lines. For example:

  -----BEGIN CERTIFICATE-----
  MIIFgTCCA2mgAwIBAgIJANvdcLnabFGYMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNV
  BAYTAlVTMQswCQYDVQQIDAJUWDEPMA0GA1UEBwwGYXVzdGluMRQwEgYDVQQKDAsx
  OTIuMTY4LjEuMTEUMBIGA1UEAwwLMTkyLjE2OC4xLjEwHhcNMTYxMDI3MjIzNDE3
  WhcNMTcxMDI3MjIzNDE3WjBXMQswCQYDVQQGEwJVUzELMAkGA1UECAwCVFgxDzAN
  BgNVBAcMBmF1c3RpbjEUMBIGA1UECgwLMTkyLjE2OC4xLjExFDASBgNVBAMMCzE5
  Mi4xNjguMS4xMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5NceYwtP
  ES6Ve+S9z7WLKGX5JlF58AvH82GPkOQdrixn3FZeWLQapTpJZt/vgtAI2FZIK31h
  (...20 lines removed...)
  hbr6HOgKlOwXbRvOdksTzTEzVUqbgxt5Lwupg3b2ebQhWJz4BZvMsZX9etveEXDh
  PY184V3yeSeYjbSCF5rP71fObG9Iu6+u4EfHp/NQv9s9dN5PMffXKieqpuN20Ojv
  2b1sfOydf4GMUKLBUMkhQnip6+3W
  -----END CERTIFICATE-----

• Create the certificate object in the Objects page:

  1. In the left pane, click Manage > Objects.

  2. Click > FTD > Certificate.

• Click Create New Object when adding a new certificate object to a policy.

• Country (C)— Select the country code from the drop-down list.

• State or Province (ST)— The state or province to include in the certificate.

• Locality or City (L)— The locality to include in the certificate, such as the name of the city.

• Organization (O)— The organization or company name to include in the certificate.

• Organizational Unit (Department) (OU)— The name of the organization unit (for example, a department name) to include in the certificate.

• Common Name (CN)— The X.500 common name to include in the certificate. This could be the name of the device, web site, or another text string. This element is usually required for successful connections. For example, you must include a CN in the internal certificate used for remote access VPN.

• Click , and select FTD > IKEv1 IPsec Proposal to create the new object.

• On the object page, select the IPsec proposal you want to edit and click Edit in the Actions pane at the right.

• Tunnel mode encapsulates the entire IP packet. The IPSec header is added between the original IP header and a new IP header. This is the default. Use tunnel mode when the firewall is protecting traffic to and from hosts positioned behind the firewall. Tunnel mode is the normal way regular IPSec is implemented between two firewalls (or other security gateways) that are connected over an untrusted network, such as the Internet.

• Transport mode encapsulates only the upper-layer protocols of an IP packet. The IPSec header is inserted between the IP header and the upper-layer protocol header (such as TCP). Transport mode requires that both the source and destination hosts support IPSec, and can only be used when the destination peer of the tunnel is the final destination of the IP packet. Transport mode is generally used only when protecting a Layer 2 or Layer 3 tunneling protocol such as GRE, L2TP, and DLSW.

• Click and select FTD > IKEv2 IPsec Proposal to create the new object.

• In the object page, select the IPsec proposal you want to edit and click Edit in the Actions pane at the right.

• Encryption—The Encapsulating Security Protocol (ESP) encryption algorithm for this proposal. Select all the algorithms that you want to allow. The system negotiates with the peer, starting from the strongest to the weakest algorithm until a match is agreed upon. For an explanation of the options, see Deciding Which Encryption Algorithm to Use.

• Integrity Hash—The hash or integrity algorithm to use for authentication. Select all the algorithms that you want to allow. The system negotiates with the peer, starting from the strongest to the weakest algorithm until a match is agreed upon. For an explanation of the options, see Deciding Which Hash Algorithms to Use.

• Click and select FTD > IKEv1 Policy to create a new IKEv1 policy.

• In the object page, select the IKEv1 policy you want to edit and click Edit in the Actions pane at the right.

• Priority—The relative priority of the IKE policy, from 1 to 65,535. The priority determines the order of the IKE policy compared by the two negotiating peers when attempting to find a common security association (SA). If the remote IPsec peer does not support the parameters selected in your highest priority policy, it tries to use the parameters defined in the next lowest priority. The lower the number, the higher the priority.

• Encryption—The encryption algorithm used to establish the Phase 1 security association (SA) for protecting Phase 2 negotiations. For an explanation of the options, see Deciding Which Encryption Algorithm to Use.

• Diffie-Hellman Group—The Diffie-Hellman group to use for deriving a shared secret between the two IPsec peers without transmitting it to each other. A larger modulus provides higher security but requires more processing time. The two peers must have a matching modulus group. For an explanation of the options, see Deciding Which Diffie-Hellman Modulus Group to Use.

• Lifetime—The lifetime of the security association (SA), in seconds, from 120 to 2147483647 or blank. When the lifetime is exceeded, the SA expires and must be renegotiated between the two peers. As a general rule, the shorter the lifetime (up to a point), the more secure your IKE negotiations will be. However, with longer lifetimes, future IPsec security associations can be set up more quickly than with shorter lifetimes. The default is 86400. To specify an unlimited lifetime, enter no value (leave the field blank).

• Authentication—The method of authentication to use between the two peers. For more information, see Deciding Which Authentication Method to Use.

  • Preshared Key—Use the preshared key that is defined on each device. These keys allow for a secret key to be shared between two peers and to be used by IKE during the authentication phase. If the peer is not configured with the same preshared key, the IKE SA cannot be established.

  • Certificate—Use the device identity certificates for the peers to identify each other. You must obtain these certificates by enrolling each peer in a Certificate Authority. You must also upload the trusted CA root and intermediate CA certificates used to sign the identity certificates in each peer. The peers can be enrolled in the same or a different CA. You cannot use self-signed certificates for either peer.

• Hash—The hash algorithm for creating a message digest, which is used to ensure message integrity. For an explanation of the options, see Encryption and Hash Algorithms Used in VPN.

• Click and select FTD > IKEv2 Policy to create a new IKEv2 policy.

• In the object page, select the IKEv2 policy you want to edit and click Edit in the Actions pane at the right.

• Priority—The relative priority of the IKE policy, from 1 to 65,535. The priority determines the order of the IKE policy compared by the two negotiating peers when attempting to find a common security association (SA). If the remote IPsec peer does not support the parameters selected in your highest priority policy, it tries to use the parameters defined in the next lowest priority. The lower the number, the higher the priority.

• State—Whether the IKE policy is enabled or disabled. Click the toggle to change the state. Only enabled policies are used during IKE negotiations.

• Encryption—The encryption algorithm used to establish the Phase 1 security association (SA) for protecting Phase 2 negotiations. Select all algorithms that you want to allow, although you cannot include both mixed-mode (AES-GCM) and normal mode options in the same policy. (Normal mode requires that you select an integrity hash, whereas mixed-mode prohibits a separate integrity hash selection.) The system negotiates with the peer, starting from the strongest to the weakest algorithm until a match is agreed upon. For an explanation of the options, see Deciding Which Encryption Algorithm to Use.

• Diffie-Hellman Group—The Diffie-Hellman group to use for deriving a shared secret between the two IPsec peers without transmitting it to each other. A larger modulus provides higher security but requires more processing time. The two peers must have a matching modulus group. Select all the algorithms that you want to allow. The system negotiates with the peer, starting from the strongest to the weakest group until a match is agreed upon. For an explanation of the options, see Deciding Which Diffie-Hellman Modulus Group to Use.

• Integrity Hash—The integrity portion of the hash algorithm for creating a message digest, which is used to ensure message integrity. Select all the algorithms that you want to allow. The system negotiates with the peer, starting from the strongest to the weakest algorithm until a match is agreed upon. The integrity hash is not used with the AES-GCM encryption options. For an explanation of the options, see Encryption and Hash Algorithms Used in VPN.

• Pseudo-Random Function (PRF) Hash—The pseudo-random function (PRF) portion of the hash algorithm, which is used as the algorithm to derive keying material and hashing operations required for the IKEv2 tunnel encryption. In IKEv1, the Integrity and PRF algorithms are not separated, but in IKEv2, you can specify different algorithms for these elements. Select all the algorithms that you want to allow. The system negotiates with the peer, starting from the strongest to the weakest algorithm until a match is agreed upon. For an explanation of the options, see Encryption and Hash Algorithms Used in VPN.

• Lifetime—The lifetime of the security association (SA), in seconds, from 120 to 2147483647 or blank. When the lifetime is exceeded, the SA expires and must be renegotiated between the two peers. As a general rule, the shorter the lifetime (up to a point), the more secure your IKE negotiations will be. However, with longer lifetimes, future IPsec security associations can be set up more quickly than with shorter lifetimes. The default is 86400. To specify an unlimited lifetime, enter no value (leave the field blank).

• If you know the name of the object, you can search for it in the Objects page:

  • Filter the list by security zone.

  • Enter the name of the object in the search field.

  • Select the object.

• If you know the object is associated with a device, you can search for it starting on the Security Devices page.

  • In the left pane, click Security Devices.

  • Click the Devices tab.

  • Click the apporpriate tab.

  • Use the device filter and search bar to locate your device.

  • Select the device.

  • In the Management pane at the right, click Objects.

  • Use the object filter and search bar to locate the object you are looking for.