Object Types
You can create the following types of object. In most cases, if a policy or setting allows an object, you must use an object.
Object Type |
Main Use |
Description |
---|---|---|
AnyConnect Client Profile |
Remote access VPN. |
AnyConnect Client profiles are downloaded to clients along with the AnyConnect Client software. These profiles define many client-related options, such as auto connect on startup and auto reconnect, and whether the end user is allowed to change the option from the AnyConnect Client preferences and advanced settings. |
Application Filter |
Access control rules. |
An application filter object defines the applications used in an IP connection, or a filter that defines applications by type, category, tag, risk, or business relevance. You can use these objects in policies to control traffic instead of using port specifications. |
Certificates |
Identity policies. Remote access VPN. SSL decryption rules. Management web server. |
Digital certificates provide digital identification for authentication. Certificates are used for SSL (Secure Socket Layer), TLS (Transport Layer Security), and DTLS (Datagram TLS) connections, such as HTTPS and LDAPS. |
DNS Groups |
DNS settings for the management and data interfaces. |
DNS groups define a list of DNS servers and some associated attributes. DNS servers are needed to resolve fully-qualified domain names (FQDN), such as www.example.com, to IP addresses. |
Event List Filters |
System logging settings for select logging destinations. |
Event list filters create a custom filter list for syslog messages. You can use them to limit the messages that are sent to a particular logging location, such as a syslog server or the internal log buffer. |
Geolocation |
Security policies. |
A geolocation object defines countries and continents that host the device that is the source or destination of traffic. You can use these objects in policies to control traffic instead of using IP addresses. |
Identity Sources |
Identity policies. Remote access VPN. FDM access. |
Identity sources are servers and databases that define user accounts. You can use this information in a variety of ways, such as providing the user identity associated with an IP address, or authenticating remote access VPN connections or access to the FDM. See Identity Sources. |
IKE Policy |
VPN. |
Internet Key Exchange (IKE) Policy objects define the IKE proposal used to authenticate IPsec peers, negotiate and distribute IPsec encryption keys, and automatically establish IPsec security associations (SAs). There are separate objects for IKEv1 and IKEv2. |
IPsec Proposal |
VPN. |
IPsec Proposal objects configure the IPsec proposal used during IKE Phase 2 negotiations. The IPsec proposal defines the combination of security protocols and algorithms that secure traffic in an IPsec tunnel. There are separate objects for IKEv1 and IKEv2. |
Network |
Security policies and a wide variety of device settings. |
Network groups and network objects (collectively referred to as network objects) define the addresses of hosts or networks. |
Port |
Security policies. |
Port groups and port objects (collectively referred to as port objects) define the protocols, ports, or ICMP services for traffic. |
Secret Keys |
Smart CLI and FlexConfig policies. |
Secret key objects define passwords or other authentication strings that you want to encrypt and hide. |
Security Zone |
Security policies. |
A security zone is a grouping of interfaces. Zones divide the network into segments to help you manage and classify traffic. |
SGT Groups |
Access control policies. |
Trustsec Security Group Tags (SGT) define tags for traffic as defined in Cisco Identity Services Engine (ISE). You must configure ISE before you can create these objects. You can then use the objects as source/destination matching criteria in access control rules. |
SLA Monitors |
Static routes. |
An SLA Monitor defines a target IP address to use for monitoring a static route. If the monitor determines the target IP address can no longer be reached, the system can install a backup static route. |
Syslog Servers |
Access control rules. Diagnostic logging. Security Intelligence policies. SSL decryption rules. Intrusion policies. File/malware policies |
A syslog server object identifies a server that can receive connection-oriented or diagnostic system log (syslog) messages. |
URL |
Access control rules. Security Intelligence policies. |
URL objects and groups (collectively referred to as URL objects) define the URL or IP addresses of web requests. |
Users |
Remote access VPN. |
You can create user accounts directly on the device for use with remote access VPN. You can use the local user accounts instead of, or in addition to, an external authentication source. |