Focus

Network Security

Policy Object: Tags

Table of Contents

Policy Object: Tags

Identify the purpose of a rule or configuration object and to help you better organize your rulebase.

Where Can I Use This?	What Do I Need?
NGFW (Cloud Managed) NGFW (PAN-OS & Panorama Managed) `Prisma Access (Cloud Management)` `Prisma Access (Panorama Managed)`	Check for any license or role requirements for the products you're using: `Prisma Access` license or AIOps for NGFW license

Tags allow you to group objects using keywords or phrases. You can apply tags to address objects, address groups (static and dynamic), zones, services, service groups, and to policy rules. You can also use an SD-WAN Interface profile to apply a link tag to an Ethernet interface. You can use tags to sort or filter objects and to visually distinguish objects by color. When you apply a color to a tag, the Policy tab displays the object with a background color. Each object can have up to 64 tags. When an object has multiple tags, it displays the color of the first tag applied.

You must create a tag before you can group rules using that tag. A predefined tag named Sanctioned is available for tagging applications objects. When you create a new tag, the tag is automatically created in the Virtual System or Device Group that is currently selected on Panorama.

To configure this and any other Object settings, go to:

Manage

Configuration

NGFW and Prisma Access

Objects

on Cloud Managed deployments, and select the object you want to configure.

Objects

on PAN-OS and Panorama Managed deployments, and select the object you want to configure from the panel on the left.

Tags Fields

Here are the fields in a Tag object:

Tag Settings	Description
Name	Enter a unique tag name (up to 127 characters). The name is not case-sensitive.
Shared	Select this option if you want the tag to be available to: Every virtual system (vsys) on a multi-vsys. If you clear this selection, the tag is available only to the Virtual System selected in the Objects tab. Every device group on Panorama. If you disable (clear) this option, the tag will be available only to the Device Group selected in the Objects tab.
Disable override (`Panorama only`)	Select this option to prevent administrators from overriding the settings of this tag in device groups that inherit the tag. This selection is cleared by default, which means administrators can override the settings for any device group that inherits the tag.
Color	Select a color from the color palette in the drop-down (default is None).
Comments	Add a label or description to describe for what the tag is used.

Policy Object: Service Groups

Create, Apply, and Modify Tags