IP Range and Subnet Support in Dynamic Address Groups
Learn how to use IP ranges or subnets in dynamic address
groups in addition to individual IP addresses.
PAN-OS 10.0 introduces enhancements to dynamic address
groups—you can now use IP sets, including IP address ranges and
IP subnets, in dynamic address group membership and you can view
source and destination dynamic address groups in some logs.
PAN-OS can now populate dynamic address groups with
IPv4 address sets, such as subnets and ranges, in addition to individual
IP addresses. When a new device joins your network as part of a
tagged IP set, the firewall applies the appropriate security policy
dynamically. Additionally, you can leverage security policy based
on dynamic address groups to dynamically quarantine infected or
vulnerable hosts. You can now use this functionality to dynamically
quarantine entire subnets or IP ranges instead of individual devices.
And an IP set is considered as a single registered IP address when
counted towards the maximum number of registered IP addresses supported
by each firewall model.
For example, the VM-Series firewall for VMware NSX collects IP
address information from NSX Manager and assigns those IP address
to dynamic address groups. NSX administrators can create security
groups that include static VM membership and dynamic VM membership. Static
membership is based upon IP sets that include subnets and ranges.
When an NSX administrator creates independent IP sets or security
groups with IP sets as members in NSX Manager, the Panorama administrator
can create corresponding dynamic address groups. And any changes
made to the IP set, range, or subnet are reflected in Panorama and
IPv6 IP subnets and ranges are not supported in dynamic
To improve visibility and troubleshooting, source and destination
dynamic address groups are now recorded in some logs—Traffic, Threat, URL
Filtering, Wildfire Submissions, and Data Filtering—if the rule
the traffic matches includes a dynamic address group. If an IP address appears
in more than one dynamic address group, the firewall displays up
to five dynamic address groups in logs along with the source IP address.
Additionally, the IP-Tag log now displays how and when an IP
subnet or range is registered or unregistered on the firewall which
tag is applied.