If you plan to manage security policy by IP address you must create 2 network group containers using the required common names.
The container name determines the function of network group objects in the container.
|Container Type||Required Common Name||Function|
|Internal network groups container||cn=internal-network-groups||Internal network groups contain ipNetwork objects that specify the IP addresses included in a policy of which the group is a member.|
|External network groups container||cn=external-network-groups||External network groups contain ipNetwork objects that specify IP addresses excluded from a policy in which the group is a member.|