Network Objects Configuration Guide

Overview
Network Objects is one of the supported categories of Policy Objects. In the future, we will introduce additional categories such as Application, Ports and etc.

Network Objects provide easier management of firewall rules. They serve as labels to IP Subnets and FQDN that can be used on access policies such as
firewall rules. If there are needs to modify multiple access policies that use the same IP Subnets or FQDN, you only need to modify the Network Object to have it
reflect on all policies.

For additional highlights of the feature, please see Network Objects Highlights.

Learn more with these free online training courses on the Meraki Learning Hub:

• Implementing Firewall Rules on a Security Appliance

Sign in with your Cisco SSO or create a free account to start training.

Use Case
Network Objects are ideal for networks that have large and complex firewall rules. This feature simplifies management of firewall rules and allows rules to be
easily identified.

Feature
Network Objects can be centrally managed through Organization > Configure > Policy objects. It is an organization-wide feature shared with all networks
within the organization.

Network Objects can contain:

• IP Address
• IP Subnet (CIDR)
• FQDN and Wildcard FQDN

Network Groups can contain one of the below combinations. Network Groups cannot contain a mix of IP/CIDR and FQDN Network Objects.

• One or more IP/CIDR Network Objects OR

• One or more FQDN Network Objects.

Network Objects/Groups can be applied in the below firewall rules:

• Individual and Template Networks: Layer 3 Inbound, Layer 3 Outbound, and Failover Cellular Firewall Rules
• Organization-wide Site to Site VPN Outbound Firewall Rules

1
 Note:

• Network Objects/Groups cannot be applied to Group Policies.

• FQDN, Wildcard FQDN, and Network Groups with FQDN objects can only be applied to Layer 3 Outbound
Firewall Rules. They cannot be applied to Failover Cellular Firewall Rules or Site-to-Site VPN Outbound
Firewall Rules.
• Layer 3 inbound rules cannot be manually configured unless the NAT Exceptions (AKA No NAT) early
access feature is enabled.

Administration
Network Objects is an Organization-wide feature. The below details the different Network Objects access for an Organization and Network Administrator.

Organization Administrator Network Administrator

Create Network Objects/Groups Yes No

Convert Existing IP, CIDR and FQDNs to

Yes No
Network Objects

Access Network Objects Management Page

Yes No
(Organization > Configure > Policy objects)

View Network Objects via API Yes Yes

Apply Network Objects to Firewall Rules Yes Yes

Configuration

Managing Network Objects

Network Objects can be centrally managed in Organization > Configure > Policy objects.

Creating Network Objects

Network Object is a label that contains either an IP Address (192.168.1.1/32), IP Subnet (192.168.1.0/24), FQDN (www.example.com) or Wildcard
FQDN (*.example.com).

Note: If a Network Object is created to contain a root domain (example.com), Wildcard FQDN (*.example.com) is automatically assumed.

1. To create a new Network Object, navigate to Organization > Configure > Policy Objects > All objects > Add
New

2
 2. After successfully creating Network Objects, the Network Objects All Objects tab management page should look
like the below.

Creating Network Groups

Network Group is a group that contains one or more Network Objects.

1. To create a Network Group, navigate to Organization > Configure > Policy Objects > Groups > Add new. In
the pop up menu, you will be able to type in values (IP Address, IP Subnet, FQDN or Wildcard FQDN) in the
Contains field to contain in the group. For each value, you must click on the auto-suggested options (new value
or existing objects) to enter the entry in the Contains field.

3
 2. For any new IP Addresses or FQDN entered, the next screen will require you to create a Network Object for the
respective entry.

3. After successfully creating the Network Group, the Network Objects Groups tab management page should look
like the below.

Modifying Network Objects/Groups

For each Network Object/Group, you have the ability to create a new copy of the existing object/group, edit and delete. To perform a specific action, please
select the appropriate icon shown below.

4
 Note: If a Network Object/Group is modified, the new changes will reflect on all firewall rules, where the respective Network Object/Group is
referenced.

Applying Network Objects

Network Objects/Groups can be applied to

• Individual and Template Networks: Layer 3 Inbound, Layer 3 Outbound, and Failover Cellular Firewall Rules.
• Organization-wide Site-to-Site VPN Outbound Firewall Rules

Create a New Firewall Rule

1. To create a new firewall rule, navigate to Security & SD-WAN > Configure > Firewall > Add new. Type the
appropriate Network Group/Object name in the Source and Destination fields. Auto-suggestion will show existing
Network Objects/Groups for you to choose from.

2. If additional rules need to be added, repeat the above process. After all rules are added and click on Finish
editing and Save.

5
Creating Network Objects/Groups within Firewall Rules
As a shortcut, Network Objects/Groups can also be created when clicking on the Source and Destination fields in the respective rule. Once a value is typed in
the Source or Destination field, click on the appropriate auto-suggested option.

You will then have the ability to convert the value into a Network Object and contain it in a Network Group.

Please note that if you click on an existing Network Object, the option to contain it in a Network Group will present as well.

Modify Existing Rule

To modify an existing rule, click on

under the Actions column for the respective rule. The actions that you can choose to perform are below.

6
In addition, you have the ability to move a rule higher or lower in the firewall rules table by clicking and dragging on

for the respective rule.

Removing Network Object from Existing Rule

To remove a Network Object from an existing rule, click

for the respective rule and click Edit. This will enter you into edit mode for the rule. Click on the Network Object you wish to remove and hit Backspace or
Delete twice on your keyboard. Hitting Backspace or Delete once on your keyboard will display the below pop up alert asking if you want to remove the
Network Object. Hitting the Backspace or Delete a second time will result in removing the Network Object. After the Network Object is removed, remember to
click Finish editing and Save.

Bulk Edit and Delete Rules

To edit or delete several rules at once, check the desired rules and click More actions > choose either Bulk edit or Bulk delete.

Converting Existing Rules to use Network Objects

It is possible to convert previously configured IP Addresses, IP Subnets and FQDNs in existing firewall rules to utilize Network Objects. To do so, edit the rule by
clicking

7
for the respective rule and click on the IP Address, IP Subnet or FQDN. A pop up will appear asking to input a Network Object name to create a new Network
Object.

Example of Firewall Rules using Network Objects/Groups

Compatibility
Network Objects can be applied alongside our existing VLAN Objects used in Template Networks Firewall Rules.

VLAN Objects
VLAN Objects are primarily used to represent Template created VLANs. They can be created and modified within Template Network Firewall Rules.

Note: VLAN Objects may also be used within networks that are not bound to a template.

For additional information regarding VLAN Objects, please refer to:

Managing Multiple Networks with Configuration Templates

MX Templates Best Practices

IPv6 LAN capabilities are a requirement for VLAN Objects. VLAN objects and HA MXs (warm spare) do not work together since HA pair does not
currently support IPv6. When a warm spare is added to a network, you will lose the ability to use VLAN objects and any existing L3 rules utilizing
VLAN objects will be removed.

8
Example of Template Firewall Rules using Both Network and VLAN Objects

API
APIs can be used to create, modify and apply Network Objects/Groups to firewall rules. For a list of supported APIs, please navigate to Help > API
documentation and see the Policy object groups and Policy objects sections. When creating a Network Object/Group, the Network Object/Group will
correlate to an ID. This ID is an unique identifier for the created Network Object/Group. To update, delete or apply the created Network Object or Group, you will
need to reference this ID in the respective format OBJ[ID] or GRP[ID]. You can see a full list of created Network Objects/Groups and their respective IDs by
utilizing the API call corresponding to listing Network Objects/Groups for the entire Organization.

As of 4/1/2021, we launched new v1 Policy Object API endpoints. This allows Policy Objects to more easily introduce future Objects such as
Application, Ports and etc.

The old v0/v1 Network Objects API endpoints (existed prior to 4/1/2021) will continue to function. However, these will be deprecated in the future. The
exact date is still TBD. If you're using the old v0/v1 Network Objects APIs to create/modify your Network Objects, please take this time to migrate to
the new v1 Policy Objects APIs.

Example of Creating a Network Object Using API

HTTP Request to create a Network Object named "Test Object" for subnet "10.0.0.0/24":

curl -L -H 'X-Cisco-Meraki-API-Key: <key>' -H 'Content-Type: application/json' -X POST --data-binary

'{"name":"Test Object","category":"network", "type": "cidr", "cidr":"10.0.0.0/24","groupIds":[]}' 'https://api.meraki.
com/api/v1/organizations/{organizationId}/policyObjects'

HTTP Successful Response. Note "id" correlates to the unique id of the created Network Object:

{ "id": "1234",
"name": "Test Object",
"category": "network",
"type": "cidr",
"cidr": "10.0.0.0/24",
"created_at": "2018-05-12T00:00:00Z",
"updated_at": "2018-05-12T00:00:00Z",
"groupIds": [ ],
"networkIds": [ ]}

9
Example of Applying a Network Object to a Layer 3 Firewall Rule Using API
HTTP Request to apply the previously created Network Object to the Source field of a Firewall Rule. Note that the ID was used to reference the Network Object
(OBJ[ID] ).

curl -L -H 'X-Cisco-Meraki-API-Key: <key>' -H 'Content-Type: application/json' -X PUT --data-binary

'{"rules":[{"comment":"Test Rule","policy":"allow",","protocol":"tcp","destPort":Any,"destCidr":"Any",
"srcPort":"Any","srcCidr":"OBJ[1234]","syslogEnabled":false}]}' 'https://api.meraki.com/api/v0/
organizations/{organizationId}/networks/{networkId}/FirewallRules'

HTTP Successful Response:

{ "comment": "Test Rule",

"policy": "allow",
"protocol": "tcp",
"destPort": Any,
"destCidr": "Any",
"srcPort": "Any",
"srcCidr": "OBJ[1234]",
"syslogEnabled": false }

10