Network Security
View Rules by Tag Group
Table of Contents
View Rules by Tag Group
View your policy rulebase as tag groups.
View your policy rulebase as tag groups to
visually group rules based on the tagging structure you created. In
this view, you can perform operational procedures such as adding,
deleting, and moving the rules in the selected tag group more easily.
Viewing the rulebase as tag groups maintains the rule evaluation
order and a single tag may appear multiple times throughout the
rulebase to visually preserve the rule hierarchy.
You must create the tag before you can assign it as a group tag on a rule. Security rules that
are already tagged on upgrade to PAN-OS 9.0 have the first tag automatically
assigned as the Group tag. Before you upgrade to PAN-OS 9.0, review the tagged rules
in your rulebase to ensure rules are correctly grouped. You must manually edit each
tag rule and configure the correct Group tag if your rules are grouped incorrectly
after you upgrade to PAN-OS 9.0.
- Create and Apply Tags you want to use for grouping rules.
- Assign a security rule to a tag group.
- Create a security rule. Refer to Create a Security Policy Rule for more information on creating security rules.
- In theGroup Rules by Tagfield, select the tag from the drop-down and clickOK.
- Commityour changes.
- View your policy rulebase as groups.
- (Panorama only) From theDevice Group, select the device group rulebase to view or view all Shared rules.
- ClickPoliciesand select the rulebase where you created the rules in Step 2.
- Select theView Rulebase as Groupsoption (at the bottom).Rules not assigned a tag group display asNone.
- Perform Group operations as needed.
- ClickGroupto perform group operations for rules in the selected tag group.
- (Panorama only)Move rules in group to a different rulebase or device group—Move all security rules in the selected tag group to the Pre-Rulebase or Post-Rulebase or move them to a different device group.
- Change group of all rules—Move all rules in the selected tag group to a different tag group.
- Move all rules in group—Move all rules in the selected tag group to change the rule priority order.
- Delete all rules in group—Delete all rules in the selected tag group.
- Clone all rules in group—Clone all rules in the selected tag group.
- Commityour changes.
Tag Browser
Tags allow you to identify the purpose or function of a security rule and help you
better organize your policy rulebase. PAN-OS 11.1 introduces the ability to
visually group and manage your policy rulebase using the assigned tags. When
viewing your policy rulebase using tags, you can perform operation procedures
such as adding, deleting, or moving the rules with the applied tag more easily.
Viewing your policy rulebase using tags maintains the rule evaluation order.
For firewalls managed by a Panorama management server, you can create and assign
tags to security rules from Panorama. Both Panorama, managed firewalls, and
standalone firewalls running PAN-OS 10.2.5 or later 10.2 release, PAN-OS 11.0.3
or later 11.0 release, or any PAN-OS 11.1 release support policy rulebase base
management using tags. Policy rulebase management using tags is supported for
all policy types.
- (Panorama-managed firewalls) Palo Alto Networks recommends you log in to the Panorama web interface to manage the policy rulebase for all managed firewalls belonging to the same device group.
- Create your policy rulebase.
- Create and apply tags to the security rules you created.You must apply tags to the security ruleTagfield and not theGroup Rules by Tagfield.
- SelectPoliciesand change the policy rulebase view from theDefault ViewtoRulebase by Tags.(Panorama-managed firewalls) You must also select aDevice Groupfor which to manage the policy rulebase.On the left-hand size, theTag Browseris displayed and all tags applied to all rules in the policy rulebase, the number of security rules with the tag applied, and theRule Numberindicating the rule order for all security rules within the policy rulebase with the tag applied.
- Select the Tag Browser display settings.
- (Optional) Use the search bar to search for a specific tag.
- Keep enabled or disableFilter by first tag in rule.When enabled, the Tag Browser displays theRule CountandRule Numberdata based on the first tag applied to each security rule when multiple tags are applied. When disabled, the Tag Browser displays totalRule CountandRule Numberdata when multiple tags are applied to your security rules.
- Select how to order tags in the Tag Browser.
- Rule Order—Order the security rule tag data in the Tag Browser data based on how policy rules are ordered in the policy rulebase. This may mean that a tag applied to multiple security rules will display multiple times in the Tag Browser if the tagged policy rules are dispersed throughout the policy rulebase.
- Alphabetical—Order the security rule tag data in the Tag Browser based on the alphabetical order of applied tags.
- Apply or remove tags from the Tag Browser.The Tag Browser allows you to both apply a tag to security rules within the policy rulebase, and remove a tag from all security rules where the tag is currently applied.
- Apply a tag from the Tag Browser
You can also drag and drop tags you want to apply from the Tag Browser to the security rule you want to apply it to.- In the policy rulebase, select one or more security rules that you want to apply a tag to.
- In the Tag BrowserTag (Rule Count)column, select one or more tags you want to apply to the selected security rules.
- Expand the tag options andApply Tag to the Selection(s).Review which tags you are apply to the selected security rules and clickYesto apply the tags.
- Remove tags from the Tag Browser
- In the Tag BrowserRule Numbercolumn, expand the tag options andUntag Rule(s).
- A confirm window is displayed to confirm you want to untag your security rules.You can remove the tags from only the selected security rules or checkUntag all the rules with the selected tagto remove the tag from all security rules with the tag.
- ClickYesto untag all security rules that have the selected tag applied.
- Move tagged rules within your the policy rulebase.You can use the Tag Browser to move multiple tagged rules at once to change the policy rulebase hierarchy as needed.
- Select theRule OrderTag Browser display setting.
- In the Tag BrowserRule Numbercolumn, expand the tag options andMove Rule(s).Alternatively, you can drag and drop rules to reorder them in the policy rulebase.
- Select the tag around which you want to move.
- Move BeforeorMove Afteras needed.
- Add a new security rule from the Tag Browser.You can add a new security rule with tags already assigned directly from the Tag Browser. The new security rule is added as the lowest rule in the rule order based on the selected tag.
- Select theRule OrderTag Browser display setting.
- In the Tag BrowserRule Numbercolumn, expand the tag options andAdd New Ruleand configure the security rule as needed.
- Filter the policy rulebase using a tag.In the Tag BrowserRule Numbercolumn, expand the tag options andFilterthe policy rulebase. This allows you to apply one or more tag search filters to the policy rulebase to narrow down the list of security rules displayed.
