New Features - Cloud NGFW for AWS - July 2023

A dynamic address group populates its members dynamically using tag-based filters. Dynamic address groups are very useful if you have an extensive virtual infrastructure where changes in virtual machine location/IP address are frequent. For example, you have a sophisticated failover setup or provision new virtual machines frequently and would like to apply policy to traffic from or to the new machine without modifying the configuration/rules on the firewall.

Create appropriate policies in the firewall to allow or deny IP addresses. A policy requires an existing address group object as part of the policy creation process.

You can create Dynamic Address Groups with harvested Cloud NGFW tags for your cloud device group. Use the Panorama virtual appliance to configure a security group, a logical container that assembles guests across multiple ESXi hosts in the cluster. When you create a dynamic address group that meets the right criteria and commit your changes, a corresponding security group is created on the NSX-T Manager. Creating security groups is required to manage and secure the guests.

For a dynamic address group to become a security group on NSX-T, you must add match criteria in the dynamic address group in the following format: _nsxt_ < dynamic-address-group-name> . The dynamic address name added in the match criteria must match the dynamic address group name exactly.

To add match criteria for your dynamic address groups:

1. In the Panorama Console, go to the Objects tab.

2. On the left pane, go to Address Groups .

3. Click Add

4. Enter the Name of your Address Group and set the Type to Dynamic .

5. Click Add match Criteria .

See Create Dynamic Address Groups for more information.

In the Panorama Monitor tab you can now filter to view the log of an individual Cloud Device Group, or display logs and activity for all Cloud Device Groups. Each log type records information for a separate event type, ensuring a structured approach to data collection. For example, the firewall generates a Threat log. This specialized log captures entries whenever network traffic aligns with a configured spyware, vulnerability, or virus signature. It also records instances of Denial-of-Service (DoS) attacks that meet predefined thresholds, such as those configured for port scan or host sweep activities, signaling potential malicious intent. This segregation by log type allows administrators to focus on specific security or operational aspects. Each log has a filter area that allows you to set a criteria for which log entries to display. The ability to filter logs is useful for focusing on events on your firewall that possess particular properties or attributes. Filter logs by artifacts that are associated with individual log entries.

You can utilize various functions to manage these logs. This includes reviewing different Log Types and Severity Levels, and accessing them through View Logs. To refine their analysis, you can Filter Logs based on specific criteria. For record-keeping or offline analysis, the system supports Exporting Logs, with a dedicated use case like exporting traffic logs for a data range.

For more information, see View Cloud NGFW Logs and Activity.

You can automatically update the security policy on your Palo Alto Networks Cloud NGFW resources so that you can secure traffic to these AWS assets as you deploy or terminate AWS assets (such as EC2 instances) in the AWS public cloud. To enable tag-based policy rules for Cloud NGFW for AWS resources, you must prepare your Panorama® appliance for this integration by installing the AWS plugin version 5.1.0 or above. Using the Cloud NGFW Console, add your AWS accounts and harvest tags from the AWS resources. Then use the Panorama plugin to query tags periodically from your Cloud NGFW tenant and add them to the Panorama device groups to manage Dynamic Address Group objects and rules. For more information, see Use Dynamic Address Group in Policy.