Each ipNetwork object can appear in as many network groups as needed.
Each ipNetwork object functions independently, so overlap of IP address ranges among several ipNetwork objects is allowed.
You can create as many ipNetwork and network group objects as is required to represent the IP address ranges you want to use for assigning security policies.
To avoid detailed searches of the directory that would be required to verify the effects of IP based policy assignments, the database holds policy-related IP information in the network cache. The network cache is not updated dynamically.
If you make changes to ipNetwork or Network Group objects in the directory you must perform a TPA reset to force the database to reload the network cache and make the revised information available for policy enforcement.