Nexapp - Firewall Objects
Firewall Objects
Firewall objects are reusable groups of network identifiers—such as IP addresses, subnets, ranges, or domains—used to simplify and standardize NexappOS policies. Instead of repeating the same addresses inside many rules, you define them once as an object and reference them anywhere.
Using firewall objects helps you keep policies clean, consistent, and easy to update.
Why Use Firewall Objects?
Key advantages:
Better organization and readability
Rules remain short and clear, even in complex networks.Fewer configuration errors
You avoid repeatedly typing long IPs, ranges, or domains.Easy maintenance
Updating an object automatically updates every rule that uses it.Efficient rule management
Especially useful when multiple rules share the same targets or sources.
Firewall objects are most valuable in medium-to-large deployments or anytime a group of addresses is referenced more than once. For very small setups with just a few static rules, objects are optional.
Object Types Available
NexappOS supports multiple firewall object categories:
Static Leases (DHCP Reservations)
Fixed IP assignments for specific devices.DNS Records
Local hostname-to-IP mappings.VPN Users
Remote users with reserved VPN IPs.Host Sets
Groups of IPs, networks, ranges, and other objects.Domain Sets
Collections of domains that resolve dynamically into IPs.
These objects are shared system-wide and can be reused in:
- firewall rules
- NAT / port forwarding
- SD-WAN routing rules
- policy definitions
- access control lists
Static Leases (DHCP Reservations)
Static leases assign a stable IP to a device based on its MAC address.
This combines DHCP convenience with static IP predictability.
Benefits
- devices always receive the same IP
- hostnames can be assigned for clarity
- simplifies troubleshooting and policy writing
A static lease contains:
- Hostname — friendly device name
- IP address — must be inside DHCP range
- MAC address — unique hardware ID
For details, see DNS & DHCP chapter.
DNS Records
DNS records provide local hostname → IP mapping.
Local records always override upstream DNS results.
A DNS record contains:
- Hostname — local name to resolve
- IP address — mapped address
Common Use Cases
- easy shortcuts to internal services
(e.g.,intranet.company.local) - override public DNS for testing
- create internal service domains
For details, see DNS & DHCP chapter.
VPN Users
VPN users with reserved VPN IP addresses can be used as firewall objects.
This allows identity-based policy control.
Key Points
- each VPN user may get a fixed VPN IP
- users can be referenced in rules as source/destination
- works with both local and directory (LDAP) users
- enables per-user access control and monitoring
Use Cases
- restrict remote users to specific resources
- build allow/deny lists per user
- enforce time-based access policies
- monitor bandwidth per user
Requirements
- user has VPN access enabled
- reserved IP is assigned to that user
Host Sets
Host sets group multiple IP elements into one object that can be referenced in rules.
What Host Sets Can Include
- individual IPs
- CIDR networks
- IP ranges
- static leases
- DNS record names
- VPN users (IPv4 only)
IP Version Support
- Host sets are either IPv4 or IPv6
- one set cannot mix both versions
Why They Matter
- update once, rules auto-inherit change
- ideal for grouping servers, teams, sites, or services
- simplifies allow/deny policies at scale
Note
Host sets are fully supported in firewall rules.
Some pages (for example MultiWAN) support only a subset (IP + CIDR).
In such cases, only compatible host sets will appear in dropdowns.
Manage Host Sets
Go to:
- Users and objects → Objects → Host sets
You will see:
- set name
- IP version
- number of records
- usage status
Objects from other areas (static leases, DNS records, VPN users) also appear here and can be added into sets, but cannot be edited from this tab.
Unused Objects
If an object is not used in any host set or rule, it is marked as unused.
To see usage: - click Show usages
Used objects cannot be deleted until removed everywhere they are referenced.
Add a Host Set
- Go to Users and objects → Objects → Host sets
- Click Add host set
- Fill in:
Host Set name
- letters and numbers only
- no spaces/special characters
- choose a meaningful identifier
IP version - select IPv4 or IPv6
Records
- add entries one by one, such as:
- single IP: 192.168.1.10
- CIDR: 10.10.0.0/24
- range: 10.10.1.1-10.10.1.5
- previously created objects
- Click Add record after each entry
- Review and remove unwanted entries via trash icon
- Click Add host set to save
Domain Sets
Domain sets allow grouping multiple domains into a single object.
They are especially useful when a service changes IPs frequently (CDNs, SaaS, cloud apps).
Key Features
- domains automatically resolve to IPs
- resolution refreshes periodically
- supports IPv4 or IPv6 only per set
- accepts:
- FQDNs (
www.example.com) - wildcard domains (
example.commatches subdomains)
- FQDNs (
Use Cases
- application control (SaaS platforms)
- allow lists for trusted domains
- deny lists for known malicious domains
- content access policies using names, not IPs
Benefits
- no manual IP updates when domains change
- more intuitive, policy-friendly rule writing
Manage Domain Sets
Go to:
- Users and objects → Objects → Domain sets
You will see:
- domain set name
- IP version
- domain count
- usage status
Unused sets are marked unused and can be traced using Show usages.
Add a Domain Set
- Go to Users and objects → Objects → Domain sets
- Click Add domain set
- Fill in:
Domain Set name
- letters and numbers only
- no spaces/special characters
- choose a clear purpose-based name
IP version
- select IPv4 or IPv6
- create separate sets for each version if needed
Domains
- enter domain names one by one
- click Add domain after each entry
- repeat as needed
- Review list, remove unwanted domains with trash icon
- Click Add domain set to save