>
    Strata Copilot
    Harvest IP-Tags from Public and Hybrid Kubernetes Clusters to Enforce Security Policy Rules
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma AIRS
    3. Administration
    4. Deploy Prisma AIRS AI Runtime, VM-Series, and CNGFW Firewalls
    5. Harvest IP-Tags from Public and Hybrid Kubernetes Clusters to Enforce Security Policy Rules
    Download PDF
    Prisma AIRS

    Harvest IP-Tags from Public and Hybrid Kubernetes Clusters to Enforce Security Policy Rules

    Table of Contents

    Harvest IP-Tags from Public and Hybrid Kubernetes Clusters to Enforce Security Policy Rules

    Harvesting IP-tags for public and hybrid Kubernetes clusters.
    Where Can I Use This?What Do I Need?
    • Secure Container Traffic with Prisma AIRSAI Runtime Firewall
    This section explains how to configure the IP-tag collector to harvest IP-tags from Kubernetes clusters with private CIDR blocks across various cloud environments, enabling security policy rules based on these tags.
    In PAN-OS release 11.2.10-h2 (and later), the tag collector only harvests IP tags from AWS and Azure private Kubernetes clusters. Using the tag collector for AWS and Azure public cluster and GCP clusters is currently not supported.
    The IP-tag collector sends these tags to the Prisma AIRS AI Runtime Firewall in Strata Cloud Manager, so the Strata Cloud Manager can detect these IP-tags while creating the security policy rules.
    The Prisma AIRS AI Runtime Firewall protects traffic to and from non-AI and AI applications and models, which may involve containerized and VM-based workloads. Given the short lifecycle of container pods in Kubernetes (often around 3 minutes), dynamic IP-tag collection is essential. The IP-tag collector helps capture IP-tags, such as Kubernetes labels for namespaces, services, and pods, in real-time. This allows automatic IP address registration and tag management within AI Runtime Security, dynamically adapting security policy rules based on current cluster activity.
    For further information on dynamic IP addresses and tags, refer to Dynamic Address Groups in Security Policy.
    On this page, you will:
    The IP-tag collector uses 1 vCPU.

    Configure IP-Tag Collector to Send IP-Tags to Edge Service

    1. Verify the IP-tag collector mode status is enabled by the Prisma AIRS AI Runtime Firewall deployment Terraform:
      show system info | match tag-collector-mode
      This shows the collector mode as enabled.
      tag-collector-mode: enabled
    2. Configure the Strata Cloud Manager region to enable the IP-tag collector to send the IP-tags to Strata Cloud Manager.
      View and enter the Strata Cloud Manager regions:
      request plugins kubernetes set-tag-collector-config region
      request plugins kubernetes set-tag-collector-config region <region_name>
    3. Configure the Kubernetes cluster:
      1. If you have access to perform secure copy (scp) transfer of your credential file to the IP-tag collector, use the following commands:
        scp import k8s-service-account
        set deviceconfig plugins kubernetes setup \
cluster-credentials <cluster_name> \
api-server-address <cluster-external-endpoint-ip> \
cluster-type [GKE|AKS|EKS] \
cluster-credential-file \
[GCP-service-account-json|AWS-credentials-file|Azure-credentials-file] <filename>
labels no-labels
        • Replace the value for the variable: `<cluster-external-endpoint-ip>` with the external endpoint IP address of your cluster (GKE, AKS, EKS) in your cloud console (Google, Azure, or Amazon).
          For example, to fetch the GKE cluster in the Google Cloud Console, navigate to Kubernetes Engine > Clusters > [Your Cluster] > External endpoint and copy the external endpoint IP address.
        • Enter the credential file type (GCP-service-account-json, AWS-credentials-file, or Azure-credentials-file) based on your cloud provider.
      2. If you don't have access to perform a secure copy (`scp`) transfer of your credential file to the IP-tag collector:
        Compress (`gzip`) and encode (`base64`) your credential file, and then use it in the following command. For detailed instructions on creating the credential file, refer to the following documentation.
        #Enter the configuration mode
configure

set deviceconfig plugins kubernetes setup \
cluster-credentials <cluster_name> \
api-server-address <Cluster API server IP address or FQDN> \
cluster-type [GKE|AKS|EKS] \
cluster-credential-file \
service-account-cred <credential_str>
labels no-labels
    4. Create the monitoring definitions on the IP-tag collector:
      set deviceconfig plugins kubernetes \
monitoring-definition <mon_def_name> \
cluster-credentials <cluster_name> \
enable yes
      You can map only one cluster to a monitoring definition and one monitoring definition to a cluster.
    5. commit to save your changes.
    6. Run the following command to view your cluster name and cluster status:
      show plugins kubernetes status
      Your cluster's status should show as "Connected" indicating successful onboarding.

    Configure IP-Tag Collector as Redistribution Agent on Prisma AIRS AI Runtime Firewall

    Data redistribution also provides granularity, allowing you to redistribute only the types of information you specify to the devices you select. You can also filter the IP to User mappings or IP to Tag mappings using subnets and ranges to ensure the firewalls collect only the mappings they need to enforce the policy. For more information, see Firewall Deployment for Data Redistribution.
    You can configure the IP-tag collector as a redistribution agent on your Prisma AIRSAI Runtime Firewall console or Strata Cloud Manager. Plan the redistribution architecture, configure the data sources from which your redistribution agents obtain the data to redistribute to their clients, and then configure the authentication policy.
    For more information on configuring the IP-tag collector as a redistribution agent, see Configure Data Redistribution and use Strata Cloud Manager to set up and manage identity redistribution.
    1. Log in to Strata Cloud Manager.
    2. Navigate to Configuration → NGFW and Prisma Access → Identity Services → Identity Redistribution.
    3. Select the Configuration Scope where you want to configure identity redistribution.
    4. Select Add Agent.
    5. Enter a descriptive Name for the redistribution agent.
      1. Confirm that the agent is enabled.
      2. Enter the Host IP address.
      3. Enter the Port (default port is 5007, and the range is 1-65535).
      4. Select one or more data types that you want to redistribute in the Data Type Mapping:
        Ensure to select IP to Tag mapping.
      5. (Optional) Enter the Collector Name to identify which system you want to use as a redistribution agent.
      6. (Optional) Enter and confirm the Collector Pre-Shared Key for the system you want to use as a redistribution agent.
    6. Save.
    7. Commit.
    8. Push Config from Strata Cloud Manager to the AI Runtime Security managed folder.
    9. For the redistribution client to show up on the agent and for local distribution to work, run the following commands on your IP-tag collector:
      #Enter the configuration mode
configure
      The `userid` service may be disabled by default. Use the below command to enable the `userid` service (This is an optional step, and you can skip it if the `userid` is already enabled):
      set deviceconfig system service disable-userid-service no

commit
    10. Display the status and configuration of all redistribution service clients:
      show redistribution service client all
      #Output
IP address/port    Vsys-ID    Version    Status    Redistribution
10.13.0.3/58742    1          6          idle      ITUH
    11. Run the following commands to show, debug, or request the Kubernetes plugin information:
      show plugins kubernetes [ counters | details-dashboard | ip-details | status | tag-details ]

debug plugins kubernetes [dump-cluster-response | kubernetes-db-dump | kubernetes-tags ]

request plugins kubernetes [merge-logs | set-tag-collector-config | validate-cluster-creds ]

    Add Address Group and Filter the IP-Tag Mappings for Kubernetes Clusters

    In a large-scale network, instead of configuring all your firewalls directly to query the mapping information sources, you can streamline resource usage by configuring some firewalls to collect mapping information through redistribution. Data redistribution also provides granularity, allowing you to redistribute only the types of information you specify to only the devices you select. Filter the IP-tag mappings using subnets and ranges to ensure the firewalls collect only the mappings they need to enforce security policy rules.
    After configuring Strata Cloud Manager for your Prisma AIRSAI Runtime Firewall, add an address group and filter the IP-tag mappings for your Kubernetes clusters.
    1. Log in to Strata Cloud Manager.
    2. Navigate to Configuration → NGFW and Prisma Access → Objects → Address → Address Groups → Add Address Group with the required IP address-to-tag mappings.
    3. Enter an address group Name.
    4. Enter a Description.
    5. Select the Dynamic address group Type.
    6. Click Add Match Criteria.
    7. Switch to the CIE tab to view the list of Kubernetes tags sent from the IP-Tag collector to Strata Cloud Manager.
    8. Select the required Kubernetes tags to create an address group.
    9. Click Save.

    Add a Security Policy Rule

    Create a security policy rule with the address group containing the set of harvested Kubernetes IP-tags. Push this policy rule to the Prisma AIRS AI Runtime Firewall deployed in your cloud environment to enforce the policy rules on these IP-tags.
    1. Log in to Strata Cloud Manager.
    2. Navigate to Configuration → NGFW and Prisma Access → Security Services → Security Policy.
    3. Select Add Rule.
    4. Click pre-rule or post-rule.
    5. Enter your security policy rule Name.
    6. Enter a Description for the policy.
    7. Select the Source and Destination match criteria.
    8. In the Source section, click Select under Addresses.
      1. For the Source Address, select the Dynamic Address Group you created with the harvested IP tags in the previous section.
    9. Specify the action: Allow or Deny for the traffic.
    10. Optional Attach the security profile group to the security policy under Profile Group.
    11. Save.
    12. Select Push Config to push configuration changes to your Prisma AIRS Firewall.
      The IP-tag collector will now be listed as a cloud-managed device on Strata Cloud Manager under Workflows → NGFW SetupDevice Management → Cloud Managed Devices.
    13. After a successful push configuration, log in to your Prisma AIRS AI Runtime Firewall command line interface and run the following command to view the IP-tags and security policies list.
      show object registered-ip all

#Output
registered IP			Tags
--------------------------     --------
10.111.22.108 *	 	    "k8s.ns_gmp-system (never expire)"
          			   "k8s.ns_gmp-operator (never expire)"
10.111.19.125 *		     "k8s.svc_metrics-server (never expire)"

    © 2026 Palo Alto Networks, Inc. All rights reserved.