Use Auto-Tagging to Automate Security Actions

Depending on the type of log you want to use for tagging, create a log forwarding profile or configure the log settings to define how you want the firewall or Panorama to handle logs.
For Authentication, Data, Threat, Traffic, Tunnel Inspection, URL, and WildFire logs, create a log forwarding profile.
For User-ID, GlobalProtect, and IP-Tag logs, configure the log settings.
Define the match list criteria that determine when the firewall or Panorama adds the tag to the policy object.
For example, you can use a filter to configure a threshold or define a value (such as
user eq “unknown”
to identify users that the firewall has not yet mapped); when the firewall reaches that threshold or finds that value, the firewall adds the tag.
To create a log forwarding profile,
Add
it and select the
Log Type
you want to monitor for match list criteria (
Objects
Log Forwarding
).
To configure log settings,
Add
the log settings for the type of log you want to monitor for match list criteria (
Device
Log Settings
).
Copy and paste a
Filter
value or use the
Filter Builder
to define the match criteria for the tag.
Add a built-in action to tag the policy object.
Add

the

Built-in Actions

you want the firewall or Panorama to take when the logs contain an entry that meets the match list criteria.

Name

the action.

Select the type of

Target

that you want to tag (

Destination Address

,

Source Address

,

User

, or

X-Forwarded-For Address

).

Confirm that

Add Tag

is the

Action

.

Select the

Registration

source for the tag to determine how the firewall or Panorama redistributes the IP address-to-tag mapping.

Local User-ID
—Redistribute the IP address-to-tag mapping on the User-ID agent on the firewall or Panorama.
Panorama User-ID
—Redistribute the IP address-to-tag mapping on Panorama.
Remote User-ID
—Redistribute the IP address-to-tag mapping on another User-ID agent using an HTTP server profile. If you select this option, you must configure an HTTP server profile (see Step 5).

Enter or select the

Tags

you want to add to the policy object.

You may need to click outside of the field or press Enter to enable the

OK

button.

Click

OK

.


(
Remote User-ID only
) Configure an HTTP server profile to forward logs to a remote User-ID agent.
Select
Device
Server Profiles
HTTP
.
Add
a profile and specify a
Name
for the server profile.
(
Virtual systems only
) Select the
Location
. The profile can be
Shared
across all virtual systems or can belong to a specific virtual system.
Select
Tag Registration
to enable the firewall to register the IP address and tag mapping with the User-ID agent on a remote firewall. With tag registration enabled, you cannot specify the payload format.
Add
the server connection details to access the remote User-ID agent and click
OK
.

Select the log forwarding profile you created then select this server profile as the HTTP server profile for your
Remote User-ID
tag
Registration
.
Define the policy objects to which you want to apply the tags.
Create or select one of the following policy objects: dynamic address groups, Use Dynamic User Groups in Policy, addresses, address groups, zones, policy rules, services, or service groups.
Enter the tags you want to apply to the object as the
Match
criteria.
Confirm that the tag is identical to the tag in Step 4.
Add the tagged policy objects to your policy.
This workflow uses a Security policy as an example, but you can also use tagged policy objects in Authentication policy.
Select
Policies
Security
.
Click
Add
and enter a
Name
and optionally a
Description
for the policy.
Add the
Source Zone
where the traffic originates.
Add the
Destination Zone
where the traffic terminates.
Select the
Source
object you created in Step 5.1.
Select whether the rule will
Allow
or
Deny
the traffic.
If you configured a log forwarding profile, assign it to your Security policy.
You can assign one log forwarding profile for each policy but you can assign multiple methods and actions per profile. For an example, refer to Use Dynamic Address Groups in Policy.
Commit
your changes.
(Optional) Configure a timeout to remove the tag from the policy object after the specified time has elapsed.
Specify the amount of time (in minutes) that passes before the firewall removes the tag from the policy object. The range is from 0 to 43,200. If you set the timeout to zero, the IP address-to-tag mapping does not timeout and must be removed with an explicit action. If you set the timeout to the maximum of 43,200 minutes, the firewall removes the tag after 30 days.
You cannot configure a Timeout with a
Remove Tag
action.
Select the log forwarding profile.
Add
or edit one of the
Built-in Actions
.
Specify the
Timeout
(in minutes). When the specified time has elapsed, the firewall or Panorama removes the tag.
Set the IP-tag timeout to the same amount of time as the DHCP lease timeout for that IP address. This allows the IP address-to-tag mapping to expire at the same time as the DHCP lease so that you do not unintentionally apply policy when the IP address is reassigned.
Click
OK
and
Commit
your changes.