Version 4.1 - 5.1.e Object definition and ACLs
This is the bread and butter of Security Engineers. Knowing this, you're probably going to see something on the test about this. Remember that the questions are mostly created by Engineers based on their experience - and I'm sure they would see this as something important. Note the difference between objects and object-groups.
Types of object groups:
+ Protocol
+ Network
+ Service
+ ICMP type
Protocol object group example:
hostname (config)# object-group protocol tcp_udp_icmp
hostname (config-protocol)# protocol-object tcp
hostname (config-protocol)# protocol-object udp
hostname (config-protocol)# protocol-object icmp
Network object group example:
hostname (config)# object-group network admins
hostname (config-protocol)# description Administrator Addresses
hostname (config-protocol)# network-object host 10.1.1.4
hostname (config-protocol)# network-object host 10.1.1.78
hostname (config-protocol)# network-object host 10.1.1.34
Service object group example:
hostname (config)# object-group service services1 tcp-udp
hostname (config-service)# description DNS Group
hostname (config-service)# port-object eq domain
hostname (config)# object-group service services2 udp
hostname (config-service)# description RADIUS Group
hostname (config-service)# port-object eq radius
hostname (config-service)# port-object eq radius-acct
hostname (config)# object-group service services3 tcp
hostname (config-service)# description LDAP Group
hostname (config-service)# port-object eq ldap
ICMP object group example:
hostname (config)# object-group icmp-type ping
hostname (config-service)# description Ping Group
hostname (config-service)# icmp-object echo
hostname (config-service)# icmp-object echo-reply
Here's a good page on Adding Global Objects (8.4) that shows objects and object groups.
"A network object contains a single IP address/mask pair. Network objects can be of three types: host, subnet, or range."
"A service object contains a protocol and optional source and/or destination port."
I'm going to lightly go over this section because I just have so much time with this that I don't consider it an issue. If you're studying for this exam and you have access to an ASA - take some time (even if it's your own time) and look at your firewall rules. You can probably take those rules and "optimize" them - grouping them together using object-groups and "re-writing" the ACL using the object group to combine multiple lines. Do this for a couple of your firewalls and you won't have any trouble with this section.