Firepower Threat Defense – Logical Objects

Categories Cisco, fmc

Network Address Objects

  • A network object represents one or more IP addresses. Network objects are used in various places, including access control policies, network variables, intrusion rules, identity rules, network discovery rules, event searches, reports, and so on.
  • It is a good idea to create objects for each VLAN
  • If possible creating objects for individual devices may be required.
  • It is a good idea to be as granular as possible because this will allow for flexibility and scalability to your rules offering more insights on what is happening within your network.
  • After the individual objects are created we will create a network group object that will encompass all of our internal network.
  • This group object will be used throughout our policy creation.


  • Port objects or groups represent different protocols. You can use port objects and groups in various places in the systems web interface, including access control policies, identity rules, network discovery rules, port variables, and event searches.
  • Just like our network objects we can create layer4 tcp/udp objects that will be used in the same manner.
  • You can also add service ports in the ACP when creating access control policies but they will not have a descriptive name.

Interfaces and Zones

  • Interface objects segment your network to help you manage and classify traffic flow. An interface object simply groups interfaces. These groups may span multiple devices; you can also configure multiple interface objects on a single device.
  • FTD is a zone based system creating security zones allows for easier management.

Application Filter

  • Application filters help you perform application control by organizing applications according to basic characteristics: type, risk, business relevance, category, and tags.
  • This can be used as a way to block web sites if you don’t have a license for URL filtering (This feature is included with the base license.
  • Add the selected filters.
  • You can choose the applications you want selected if you don’t want to choose all.
  • Add to Rule.
  • Save the new application filter.

Variable Sets

  • Variables represent values commonly used in intrusion rules to identify source and destination IP addresses and ports.You can also use variables in intrusion policies to represent IP addresses in rule suppressions, adaptive profile updates, and dynamic rule states.
  • Now we will edit our HOME_NET variable from ‘any’ to our network group object we created earlier.
  • This will help give a better insight and more security.
  • Update the new group object into the Included Networks list to remove the ‘any’ object.
  • After saving the new object we can see it has been applied and our new variable set has been created.