icon-ztds.svg
Zero Trust Device Segmentation

Managing Objects

Zero Trust Device Segmentation supports several different types of objects (e.g., devices, networks, ports, etc.), and allows you to create groups of objects so that you can enforce security policies dynamically to prevent lateral movement of threats.

To manage objects:

  1. Go to Resources > Objects.

  2. Click Add Group to add a new group, or click the Gear icon and select Edit to modify an existing group.

  3. In the Add Group or Edit Group panel, define the group as needed. See the following sections for descriptions of the group types:

    • A device group provides the ability to specify additional attributes for devices:

      • Name: Enter a name for this group.
      • Autonomous: If enabled, newly discovered assets matching the defined attributes are automatically added to the group:
      • Device Attribute: Select an item from the drop-down menu and define additional parameters for that attribute:
        • Manufacturers, Operating System, Services: Select the manufacturer of this device in the Attribute Value field.
        • Network: Enter the network address of this device in the Attribute Value field.
        • Operating System: Select the operating system of this device in the Attribute Value field.
        • Services: Select the type of service for this device (e.g., printer, scanner, etc.) in the Attribute Value field.
        • Tags: Select one or more tags to identify groups of devices and click Add. For instance, all Windows devices can be grouped using the tag type:windows. You can also create custom tags to organize devices. To learn more, see Working with Tags.
      Close

    • A network group supports both a CIDR block and FQDN.

      Enter a name for this group in the Name field, then enter the network address. Non-CIDR block IP address ranges (e.g., 192.168.0.2–192.168.0.10) are converted to CIDR notation.

      When an FQDN is added to a network group, the Device Segmentation gateway resolves the FQDN locally and adds the IP addresses to the group. The Device Segmentation gateway also honors the Time to Live (TTL) value of the DNS records and refreshes when the TTL expires.

      You can combine multiple network groups into a single group by selecting them in the Member Groups field. This feature is useful when creating a single policy for multiple network objects.

      Close

    • A MAC group supports the addition of static MAC addresses. Enter a name for this group in the Name field, then enter one or more MAC addresses using a colon (:) as a separator (e.g., 20:7B:D2:24:33:83).

      You can combine multiple MAC groups into a single group by selecting them in the Member Groups field. This feature is useful when creating a single policy for multiple MAC objects.

      Close

    • A port group supports ports in several formats:

      • protocol:port-number pairs (e.g., udp:8080)
      • protocol:port-range pairs (e.g., TCP:1024-1030)
      • Well-known protocols or ports (e.g., bgp)

      Enter a name for the group in the Name field. Use a comma after each entry to add it to the list (e.g., udp:8080, TCP:1024-1030) so you don't have to click Add for each entry.

      Close

    • A time schedule group allows you to specify a group of absolute and periodic time ranges:

      • Name: Enter a name for this group.
      • Time Zone: Select the time zone used for this group.
      • Absolute Time Range: Select the start and end dates and times to create a specific date and time range.
      • Periodic Time Range: Select the days and time schedules for a period time range (e.g., every Monday, Wednesday, and Friday).

      Click Add Time Range to add each time range to the group.

      Close

    • A LAN zone allows you to group one or more local area networks together. Enter a name for the group in the Name field.

      Close

    • A WAN zone group allows you to group one or more wide area networks together. Enter a name for the group in the Name field.

      Close

    • A management zone group allows you to group management entities together. Enter a name for the group in the Name field.

      Close

    • A high availability (HA) zone group allows you to group high availability networks together. Enter a name for the group in the Name field.

      Close
Related Articles
Managing TemplatesManaging ObjectsAdding a Border Gateway Protocol to a Site