[Feature]: Object-Groups

[cyberndj]

NetBox version

v3.2.7

Feature type

Add a function

Proposed functionality

Include the ability to use object-groups for use in ACLs

Use case

Have a Menu Section like "ACL Object Groups." Different types would be "network" or "service" object groups. The object groups would be a list of IP networks/hosts and service object groups would have ports/protocols.

In the ACLs, you can reference an object group in the rule entry.
Example:
object-group network Private-Nets
192.168.0.0 255.255.0.0
172.16.0.0/12
10.0.0.0 255.0.0.0
169.254.0.0/16

ACL:
permit ip object-group Private-Nets any
deny ip any any log

External dependencies

No response

[ryanmerolle]

Sorry for the delay here.

It feels like this is more of a firewall type of function. I guess Cisco IOS allows for this.

My only point is, should I make this be a more generalized plugin to expand to be security policies and model something like nautobot plugin firewall models?

[cyberndj]

Admittingly, my examples are Cisco specific and the features do seem firewall-ish (groupings are a firewall (L4+) feature). I would point out a lot of modern routers do let you add items to ACEs for header fields (ie Cisco's established (permit ip any any established)) ...and my knowledge is 90% cisco, 2% Ubiquiti, 8% others... so my other manufactures knowledge is very slim on how they do things.

The nautobot plugin looks cool and could be what configuring a firewall policy could be like with all the extra fields that a FW would need. ...but I think something general/simple like using base NetBox prefix/IPs groups and maybe NetBox Services to do the protocol/port groupings.

[fansari]

From my opinion everything which helps do build switch ACLs would be useful because this is our usecase.

For hosts we don't need ACLs because you can build firewall rules with "Services" in Netbox.

[cs-1]

This feature would be great. Aruba CX also supports object groups under AOS CX.