As you add addresses to the address book, it becomes difficult to manage how policies affect each address entry. To facilitate management tasks, you can create groups of addresses. Rather than manage a large number of address book entries, you can manage a small number of groups. Changes you make to the group apply to each address entry in the group.
You can create address groups in any zone.
You can create address groups with existing users, or you can create empty address groups and later fill them with users.
An address group entry can be used like an individual address book entry.
The NetScreen device applies access policies to each member of the group by internally creating individual policies for each group member. While you only have to create one access policy for a group, ScreenOS actually creates an internal policy for each member in the group (as well as for each service configured for each user)*.
When an individual address book entry is deleted from the address book, it is also removed from all groups in which it was referenced.
Address groups can only contain addresses that belong to the same zone.
Address names cannot be the same as group names. If the name “Paris” is used for an individual address entry, it cannot be used for a group name.
If an address group is referenced in an access policy, the group cannot be removed. It can, however, be edited.
When a single access policy is assigned to an address group, it is applied to each group member individually, and the NetScreen device makes an entry for each member in the access control list (ACL). If you are not vigilant, it is possible to exceed the number of available access policy resources, especially if both the source and destination are address groups.
You cannot add the predefined addresses: “Any”, “All Virtual IPs,” and “Dial-Up VPN” to groups.
You can view the IP address groups per zone by selecting a zone from the drop-down list. The table lists all the IP address group entries configured on the NetScreen device and the following information on each one:
Name: Indicates the name of the IP address group.
Members: Indicates the name of each member part of the address group.
Comment: This field is optional and may or may not contain any information.
Configure: Click Edit to modify the IP address group entry, or Remove to delete it.
Click New. For more information on creating a new address group entry, see IP Address Group Configuration.
In the Configure column, click Edit for the group you want to modify.
The Addresses Group Edit page appears.
Enter the new information, and then click OK to save your changes.
In the Configure column, click Remove for the address you want to delete.
A system message prompts you to confirm the removal.
Click Yes to confirm removal, or No to cancel.