IP Range and Subnet Support in Dynamic Address Groups

Learn how to use IP ranges or subnets in dynamic address groups in addition to individual IP addresses.
PAN-OS 10.0 introduces enhancements to dynamic address groups—you can now use IP sets, including IP address ranges and IP subnets, in dynamic address group membership and you can view source and destination dynamic address groups in some logs.
PAN-OS can now populate dynamic address groups with IPv4 address sets, such as subnets and ranges, in addition to individual IP addresses. When a new device joins your network as part of a tagged IP set, the firewall applies the appropriate security policy dynamically. Additionally, you can leverage security policy based on dynamic address groups to dynamically quarantine infected or vulnerable hosts. You can now use this functionality to dynamically quarantine entire subnets or IP ranges instead of individual devices. And an IP set is considered as a single registered IP address when counted towards the maximum number of registered IP addresses supported by each firewall model.
For example, the VM-Series firewall for VMware NSX collects IP address information from NSX Manager and assigns those IP address to dynamic address groups. NSX administrators can create security groups that include static VM membership and dynamic VM membership. Static membership is based upon IP sets that include subnets and ranges. When an NSX administrator creates independent IP sets or security groups with IP sets as members in NSX Manager, the Panorama administrator can create corresponding dynamic address groups. And any changes made to the IP set, range, or subnet are reflected in Panorama and the firewall.
IPv6 IP subnets and ranges are not supported in dynamic address groups.
To improve visibility and troubleshooting, source and destination dynamic address groups are now recorded in some logs—Traffic, Threat, URL Filtering, Wildfire Submissions, and Data Filtering—if the rule the traffic matches includes a dynamic address group. If an IP address appears in more than one dynamic address group, the firewall displays up to five dynamic address groups in logs along with the source IP address.
traffic-log-dag-fields.png
Additionally, the IP-Tag log now displays how and when an IP subnet or range is registered or unregistered on the firewall which tag is applied.
ip-tag-log-ip-subnet-range.png

Recommended For You