>
    Policy Object: Tags
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    3. Network Security: Security Policy
    4. Policy Objects
    5. Policy Object: Tags
    Download PDF
    Network Security

    Policy Object: Tags

    Table of Contents

    Policy Object: Tags

    Identify the purpose of a rule or configuration object and to help you better organize your rulebase.
    Where Can I Use This?What Do I Need?
    • NGFW (Cloud Managed)
    • NGFW (PAN-OS & Panorama Managed)
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    Check for any license or role requirements for the products you're using.
    Tags allow you to group objects using keywords or phrases. You can apply tags to address objects, address groups (static and dynamic), zones, services, service groups, and to security rules. You can also use an SD-WAN Interface profile to apply a link tag to an Ethernet interface. You can use tags to sort or filter objects and to visually distinguish objects by color. When you apply a color to a tag, the Policy tab displays the object with a background color. Each object can have up to 64 tags. When an object has multiple tags, it displays the color of the first tag applied.
    You must create a tag before you can group rules using that tag. A predefined tag named Sanctioned is available for tagging applications objects. When you create a new tag, the tag is automatically created in the Virtual System or Device Group that is currently selected on Panorama.
    To configure this and any other Object settings, go to:
    • ManageConfigurationNGFW and Prisma AccessObjects on Cloud Managed deployments, and select the object you want to configure.
    • Objects on PAN-OS and Panorama Managed deployments, and select the object you want to configure from the panel on the left.

    Tags Fields

    Here are the fields in a Tag object:
    Tag Settings
    Description
    Name
    Enter a unique tag name (up to 127 characters). The name is not case-sensitive.
    Shared
    Select this option if you want the tag to be available to:
    • Every virtual system (vsys) on a multi-vsys. If you clear this selection, the tag is available only to the Virtual System selected in the Objects tab.
    • Every device group on Panorama. If you disable (clear) this option, the tag will be available only to the Device Group selected in the Objects tab.
    Disable override (Panorama only)
    Select this option to prevent administrators from overriding the settings of this tag in device groups that inherit the tag. This selection is cleared by default, which means administrators can override the settings for any device group that inherits the tag.
    Color
    Select a color from the color palette in the drop-down (default is None).
    Comments
    Add a label or description to describe for what the tag is used.

    © 2025 Palo Alto Networks, Inc. All rights reserved.