Network groups

A Network group is a logical group of private or public subnets and/or IP addresses. Grouping subnets by the purposes they serve can help you enforce common Access policies at scale to subnets and to grant secure access to the Workload groups which access the enforced subnets. For example, a Network group to provide infrastructure services such as DNS and DHCP to Workload groups.

In Xshield, you can create a Network group by grouping One or more:

IP subnets - IPv4 subnets in the Classless inter-domain routing (CIDR) format
Ranges of IP addresses - ranges of IPv4 IP addresses

You should leverage your organization's IP address allocation strategy to create effective Network groups in Xshield. Creating well-defined Network groups can help you create Access policies between Network groups and Workload groups quickly and effectively.

Types of Network groups

Two types of network groups exist in Xshield.

System-generated - these are Network groups that Xshield automatically creates when you enforce Corporate policy templates to Workload groups.

A system-generated Network group cannot be edited or deleted. It is automatically updated when you edit the related Corporate policy template. It is not seen on the Network groups page if you stop enforcing the Corporate policy template.

See Corporate policy templates for more details.
User-created - these are Network groups that you create to group IP subnets and/or ranges of IP addresses. You can create Network groups in one of the following ways:

user-created Network groups can be edited or deleted, with implications to the Access policies in which they are used.

Ways to create Network groups

In Xshield, you can create Network groups in one of the following ways:

Select from the ColorTokens-curated list of well-known private and public subnets and/or add custom subnets and ranges of IP addresses.

See Create Network groups for more details.
Inspect the public and private subnets that the Xshield-managed assets (workloads and endpoints) have communicated with. Xshield lists these subnets as 'Observed' subnet groups on the Network groups page.

This is historical data collected from the Unauthorized, Authorized, and Blocked connections in your Xshield-managed network, from the time you upgraded Xshield to the version released on the 17th of July, 2020.

Select the required subnets and add them to a new or an existing Network group.

See Create Network groups from 'Observed' subnet groups and Add 'Observed' subnet groups to existing Network groups for more details.

Create Network groups

Subnets and IP address ranges and considered independently; you can add IP address ranges outside the subnets you add to the Network group.

Go to Assets & Groups > Network groups.
Click Create > Network group.
In the Name text box, enter a name for the Network group.
Add a useful description.
From the Type drop-down list, select Private Network or Public Network.

You will see a ColorTokens-curated list of private or public subnets, depending on what you choose.
Select All or some of the subnets.
See the Remote Access options. These options apply to Network groups only when they are protected entities in access policies.
- Select Allow remote user access if you want to allow remote end users to access the entities in the Network group.
- Select Hide real IP address from remote access to hide the IP addresses of entities in the Network group.
Click Add to add more custom subnets.
In the IP range listing, click Add and add the first IP address and the last IP address of the IP range. For example, 10.2.1.1 and 10.2.1.50.

Click Add to add more IP address ranges.
Click Save.

Create Network groups from 'Observed' subnet groups

Xshield categorizes the subnets and subnet groups that managed assets have already communicated with, as follows:

Observed Public Groups - all public subnets with which Xshield-managed assets have communicated, listed in the /8 or /16 format, by the country of origin, and with the trust reputation of the subnet.
Observed Private Groups - all private subnets with which Xshield-managed assets have communicated, listed in the /24 format.

Go to Assets & Groups > Network groups.
Go to one of Observed Public Groups or Observed Private Groups.
Expand the row for a country (for a public Network group) and add one or more subnets.

We recommend that you only add 'Trustworthy' subnet groups.
Do this for multiple rows to add all subnets you need in this Network group.
Click Create New Group (located at the top-right corner).
In the fly panel, select a Network group to which the subnet groups must be added.

The Network groups displayed here are either Private or Public, depending on what subnets you selected.
Click Save.

Add 'Observed' subnet groups to existing Network group

You may not be able to add all required subnets to a Network group when you create it. To allow Workloads to access more services, you may need to add some subnets after Workloads communicate in the Observed mode or try to communicate in the Enforced mode.

Xshield automatically updates the policies on the workloads when new subnets are added to a Network group with 'Enforced' Access policies with a Workload group.

Go to Assets & Groups > Network groups.
Go to one of Observed Public Groups or Observed Private Groups.
Expand the row for a country (for a public Network group) and add one or more subnets.

For 'Observed' public subnets, we recommend that you only add 'Trustworthy' subnet groups to avoid compromising your network. See the Reputation column for how Xshield's threat intelligence engine rates this subnet.
Do this for multiple rows to add all subnets you need in this Network group.
Click Add Into Group (located at the top-right corner).
In the fly panel, select a Network group to which the subnet groups must be added.
Click Next and click Save.

Filter Network groups

When you create many Network groups, it may be hard to find Network groups you want to review, edit or delete. To filter the Assets & Groups > Network groups page, search by the name of the Network group.

Next steps

Create Access policies between Network groups and Workload groups.
Enforce policies on Workload groups.
See and analyze traffic to and from Network groups on Visualizer.
Assign Corporate policy templates to Workload groups and see the system-generated Network groups for the Corporate policy templates.