>
    Strata Copilot
    Cloud IP Tags for Cloud NGFW for Azure in Strata Cloud Manager
    Focus
    Download PDF
    Focus
    1. Home
    2. Cloud NGFW for Azure Administration
    3. Protect Traffic with Cloud NGFW for Azure
    4. Cloud IP Tags for Cloud NGFW for Azure in Strata Cloud Manager
    Download PDF
    Cloud NGFW for Azure

    Cloud IP Tags for Cloud NGFW for Azure in Strata Cloud Manager

    Table of Contents

    Cloud IP Tags for Cloud NGFW for Azure in Strata Cloud Manager

    Automate scalable IP Tag dynamic policy enforcement in cloud environments, simplifying security management across Strata™ Cloud Manager and Panorama®.
    Where Can I Use This?What Do I Need?
    • Cloud NGFW for Azure
    • Strata Cloud Manager
    • Cloud NGFW for Azure running PAN-OS® 11.2 and Later
      New Customers: Starting March 18, 2026, all new Cloud NGFW for Azure tenants will have PAN-OS 11.2 enabled by default.
      Existing Customers: Upgrades start from mid-April 2026. To prepare for the mandatory upgrade or to request an early upgrade via TAC case.
    • Palo Alto Networks Customer Support Portal account
    • Azure Marketplace subscription
    Cloud NGFW for Azure allows you to enforce security policies based on Azure resource tags instead of static IP addresses. By creating Cloud IP Tag configurations in Strata Cloud Manager (SCM), the firewall automatically monitors your Azure environment for changes to resources (such as EC2 instances) and updates the associated IP addresses in your security rules. This feature uses resource tags to ensure consistent security across your network as workloads and user groups change. It supports Strata Cloud Manager (SCM) adoption and enables you to manage Cloud NGFW at scale in Azure environments. It addresses scalability and security challenges by replacing traditional, static IP-based firewall policies in dynamic cloud environments. Manual updates for individual IPs and users create operational overhead and potential vulnerabilities. Without this solution, tracking dynamic workloads requires manual intervention for new firewalls. SCM polls your Azure environment to discover existing tags and detect new or modified tags.
    Cloud IP Tags in SCM supports multi-account environments. You can repeat the onboarding process (Step 3) for multiple Azure subscriptions to aggregate and enforce tag-based policies across different Azure accounts.
    The following table identifies the specific CNGFW for Azure resource attributes and tags harvested by Strata Cloud Manager (SCM).
    Attribute TypeAttribute Name (Example Format)Description
    VM Nameazure.vm_name (e.g., azure.web_server1)The specific name assigned to the virtual machine.
    VM Sizeazure.vm_size (e.g., azure.standard_ds2_v2)The Azure instance size/type.
    OS Typeazure.os_type (e.g., azure.Linux)The operating system family.
    OS Publisherazure.os_publisher (e.g., azure.Canonical)The organization that created the VM image.
    OS Offerazure.os_offer (e.g., azure.UbuntuServer)The specific product offering from the publisher.
    OS SKUazure.os_sku (e.g., azure.14.04.5-LTS)The specific version or stock keeping unit of the OS.
    Subnet Nameazure.subnet_name (e.g., azure.web)The name of the Azure subnet where the resource resides.
    VNET Nameazure.vnet_name (e.g., azure.myvnet)The Virtual Network containing the resource.
    Azure Regionazure.region (e.g., azure.east-us)The geographic location/region of the resource.
    Resource Groupazure.resource_group (e.g., azure.myResourceGroup)The logical container for Azure resources.
    User Tagsazure.tag.<key>.<value>Supports up to 10 custom user-defined tags.
    Configure Scalable IP Tag and User-ID Dynamic Policy Enforcement
    Use this section to configure dynamic policy enforcement with IP tags within your Strata Cloud Manager environment for CNGFW for Azure. This workflow automates security policies based on cloud resource tags, ensuring consistent and scalable enforcement across your dynamic cloud environments.
    Cloud IP Tag configuration currently supports only the IP Tag data type for Cloud NGFW for Azure. Other data types, such as User Tag, IP User, IP Port User, and Quarantine List, are not supported at this time. This configuration is handled automatically when you associate a monitoring definition with a folder.
    1. Log in to the Strata Cloud Manager UI.
    2. Go to Configuration > IP Tag Collection.
    3. Onboard a cloud account.
      1. Click Add New Cloud Account.
      2. Select the Cloud Type (for example Azure).
      3. Enter a Name for the account.
      4. Choose the Connection Type.
        To use Terraform (recommended): Click Connect with Terraform:
        • Click Download Terraform Bundle.
        • Run Terraform (for example, terraform init, terraform apply) in your cloud environment.
        • To use credentials: Click Connect with Credentials.
        • Provide the required credentials (for example, Subscription ID, Tenant ID, Client ID, Client Secret for Azure).
      5. Click Test Connection.
      6. Click Save.
    4. Create a monitoring definition (Tag Distribution).
      1. On the IP Tag Collection page, select the cloud account, then click Distribute.
      2. Enter a Name for the monitoring definition.
      3. Specify the Polling Interval (for example, 300 seconds). The minimum interval is 1 minute and the maximum is 30 minutes.
      4. Select the Regions from which to collect tags.
      5. Choose the Folder where the harvested tags will be stored.
      6. Click Save.
    5. (Optional) Manually trigger a full sync. A full sync manually forces SCM to poll your Azure environment and refresh all IP-to-tag mappings outside of the scheduled polling interval.
      1. On the IP Tag Collection page, locate the monitoring definition.
      2. Under Actions, select Full Sync.
      3. Allow time for tags to be harvested and processed.
    6. Create a dynamic address group using harvested tags.
      1. Navigate to Policies > Objects > Address Groups.
      2. Click Add Address Group.
      3. Enter a Name for the address group.
      4. Set the Type to Dynamic.
      5. In the Match Criteria field, enter the tag (for example: azure.vnet-name.webserver_vnet).
        The format of each tag varies according to the type of resource from which it is collected.
      6. Click Save.
    7. Create a security policy rule.
      1. Navigate to Policies > Security.
      2. Click Add Rule.
      3. Enter a Name for the rule.
      4. Under the Source tab, add the dynamic address group created in the previous step.
      5. Configure other policy parameters (Destination, Application, Service/URL Category, Action).
      6. Click Save.
    8. Push the configuration to the firewall.
      1. Ensure your firewall is associated with the folder chosen during monitoring definition creation.
      2. Initiate a configuration push to the relevant firewall(s).
    Performance Factors for Cloud IP-Tag Harvesting
    While the average latency for tag enforcement depends on following, configuration factors and may extend the total processing time:
    • Region Selection: Selecting all available Azure regions or a large number of regions in a single monitoring definition increases the number of queued jobs. This can lead to longer harvesting durations.
    • Polling Interval Impacts: Frequent polling combined with a high volume of tags and regions may increase the processing queue, potentially delaying the distribution cycle.
    Recommended Best Practice
    To ensure optimal performance and lower latency, it is recommended to:
    • Only select the specific Azure Regions where your dynamic workloads are currently deployed rather than selecting All.
    • Optimize Polling Interval- While the minimum interval is 1 minute, you should align your polling interval with your actual operational requirements. Avoid defaulting to 1 minute for all definitions if your tags do not change that frequently, as this ensures the most efficient processing for critical updates.

    © 2026 Palo Alto Networks, Inc. All rights reserved.