Check for any license or role requirements for the products you're
license or AIOps for NGFW license
To simplify the creation of security policies, addresses that require the same
security settings can be combined into address groups. An address group can be static or
or update Address Groups and give them a detailed name and
There are two types of Address Groups you can use:
Dynamic Address Groups
—Allow you to create policies that
automatically adapt to changes, and are useful in infrastructures where
changes in virtual machine location and IP addresses are frequent.
A dynamic address group populates its members based on tags and
filters. Use AND and OR operators to build filters for a dynamic address
group. All IP addresses or address groups that match the criteria you define
become members of the dynamic address group.
Static Address Groups
—Can include address objects, dynamic
address groups, or a combination of both address objects and dynamic address
that isn't being enforced as expected–check the status of specific devices to understand
whether there’s a mismatch between expected policies (as configured) and enforced
Dynamic Address Groups
A dynamic address group populates its members dynamically using look ups
for tags and tag-based filters. Dynamic address
groups are very useful if you have an extensive virtual infrastructure where changes
in virtual machine location or IP address are frequent. For example, if you have a
sophisticated failover setup or provision new virtual machines frequently and would
like to apply policy to the traffic from or to the new machine without modifying the
configuration or rules, use dynamic address groups.
To use a dynamic address group in policy, you must complete the following tasks:
Define a dynamic address group and reference it in a policy rule.
The members of the dynamic address group are formed with the IP addresses and
the corresponding tags. You can do this using external scripts that use the
Dynamic address groups can also include statically defined address objects. If you
create an address object and apply the same tags that you have assigned to a dynamic
address group, that dynamic address group will include all static and dynamic
objects that match the tags. You can, therefore use tags to pull together both
dynamic and static objects in the same address group.
Static Address Groups
A static address group can include address objects that are static,
dynamic address groups, or it can be a combination of both address objects and
dynamic address groups.
At its core, a static address group is a logical collection of address
objects or other address groups. These collections can include individual IP
addresses, ranges of IPs, or other address groups, forming a cohesive unit that
represents a specific set of endpoints or network entities.
The primary advantage of using static address groups is their ability to
streamline policy maintenance and updates. Instead of modifying multiple policy
rules individually, you can simply update the associated static address group. This
change propagates across all rules referencing the group, ensuring consistency and
saving valuable time.
Static address groups can also contribute to policy organization and
clarity. By grouping similar address objects based on criteria such as geographical
location, department, or function, you can develop policy rules that are both
comprehensive and comprehensible. This promotes a structured and easily navigable
policy framework, crucial for maintaining an effective security posture.
Address Group Fields
When creating an Address Group, you can specify some or all of the following
Address Group Settings
A name that describes the address group (up to
characters). This name appears in the address list when defining
security policies. The name is case-sensitive and must be
unique. Use only letters, numbers, spaces, hyphens, and
When this option is selected, the address group isavailable
Every virtual system (vsys) on a multi-vsys. If you clear
this selection, the address group will be available only
to the virtual system selected.
Every device group on Panorama.
Disable override (
Select this option to prevent administrators from overriding the
settings of this address group object in device groups that
inherit the object. This selection is cleared by default, which
means administrators can override the settings for any device
group that inherits the object.
Enter a description for the object (up to 1023 characters).
The type can be Static or Dynamic.
To view the list of attributes for the match criteria, you
must access and retrieve the attributes from the
source/host. Each virtual machine on the configured
information source(s) can be polled to retrieve changes in
IP address or configuration.
Select or enter the tags that you wish to apply to this address
Members Count and Address
After you add an address group, the Members Count column
indicates whether the objects in the group are populated
dynamically or statically.
For a static address group, you can view the count of the
members in the address group.
For an address group that uses tags to dynamically
populate members or has both static and dynamic members,
you can view the IP addresses that are registered to the
Type indicates whether the IP address is a static
address object or being dynamically registered and
displays the IP address.
Action allows you to unregister tags from an IP