Using SMC elements to represent IP addresses in policies

There are special considerations for using SMC elements in policies.

Many elements are created as part of configuring a particular feature. When such elements define an IP address for a device, the element can also be used to represent the IP address in policies. However, there are some special issues that might have to be considered depending on the element type.
Tip: To view the actual IP addresses that the element adds to a policy, insert the element in a rule, then select Tools > Network Details.

SMC components

Using elements that represent SMC components as a source or destination IP address in policies can produce unexpected results. Be careful especially when you use engine elements as source or destination IP addresses in policies:
  • Firewall, Single IPS, IPS Cluster, Single Layer 2 Firewall, and Layer 2 Firewall Cluster: These elements represent all static IP addresses defined for all interfaces. Create separate Host elements to represent individual IP addresses.
  • Firewall Cluster: Represent all CVI IP addresses of all interfaces, but not the NDI addresses. Create separate Host elements to represent individual CVI addresses and NDI addresses.
  • Firewalls with dynamic IP addresses: The Firewall element does not represent any of the dynamic IP addresses. There are default Aliases that can be used to represent the firewall’s own dynamic IP addresses in the firewall’s own policy. Fixed IP address definitions are needed for the dynamically assigned IP addresses when they have to be defined in the policies of any other components.
  • SMC servers: Represent the single primary IP address defined for the element.
  • Contact addresses are not taken into account when the element is used in a policy. Consider which IP address has to be added to the rule and create separate Host elements for the contact addresses as necessary.

External Servers

Several types of external servers can be integrated with the SMC when configuring different features. In general, each server element simply represents the single primary IP address defined in the element when used in a policy. Some elements have additional considerations when used in policies:
  • Secondary IP addresses: Many server elements can contain one or more secondary IP addresses in addition to the primary address displayed for the element. The secondary addresses are equally valid in policies.
  • Contact addresses: Some server elements can have a contact address. Contact addresses are not taken into account when the element is used in a policy. Consider which IP address has to be added to the rule and create separate Host elements for the contact addresses as necessary.
  • Server Pools: The Server Pool element represents the external addresses that the clients contact. Use the Server Pool in rules that allow clients’ traffic to the servers whenever you want to use the Server Pool features. Elements that represent the individual members of the pool can be used to allow connections to individual pool members (for example, to allow remote administration of each server).

Traffic handlers

Traffic handlers are used in Firewall Policies when configuring Multi-Link for Firewalls. They can be used in rules in the following ways:
  • In Source and Destination cells: A NetLink element represents the whole network address space that is associated with the NetLink element. An Outbound Multi-Link element represents the network address spaces of all NetLinks included in the Outbound Multi-Link element.
  • In the NAT cell in NAT rules: When the source address is translated using the Outbound Multi-Link element as the address space, the traffic is balanced between the included NetLinks according to the options selected for the Outbound Multi-Link element.