>
    Strata Copilot
    Policy Object: Auto-Tag Actions
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    3. Network Security: Security Policy
    4. Policy Objects
    5. Policy Object: Auto-Tag Actions
    Download PDF
    Network Security

    Policy Object: Auto-Tag Actions

    Table of Contents

    Policy Object: Auto-Tag Actions

    Automatically enforce users and IP addresses based on behavior and activity.
    Where Can I Use This?What Do I Need?
    • NGFW (Cloud Managed)
    • NGFW (PAN-OS & Panorama Managed)
    • Prisma Access
    Check for any license or role requirements for the products you're using.
    NGFWs and Prisma Access can automatically tag the users or IP addresses associated with a log entry. When you use auto-tags to build policy, you can automatically enforce users and IP addresses based on behavior and activity. You don't need to manually and retroactively adjust policy or groups. For example, when you create a filter for the URL logs for yes in the Credential Detected column, you can apply a tag to the user that enforces an authentication policy that requires the user to authenticate using multi-factor authentication (MFA).
    Local tagging is supported for Prisma Access deployments; tag redistribution is not supported.
    To get started, set up an auto-tag and then use it to populate a dynamic address group or a dynamic user group. Then, add the dynamic user group to a security rule.
    Auto-tagging works by telling your configuration to tag a policy object when it receives a log that matches specific criteria and establish IP address-to-tag or user-to-tag mapping. For example, when the a threat log is generated, you can set your configuration up to tag the source IP address or source user in the threat log with a specific tag name. You can then use these tags to automatically populate policy objects such as dynamic user groups or dynamic address groups, which can then be used to automate security actions in security, authentication, or decryption policies.
    Dynamic user groups do not support auto-tagging from HIP Match logs.

    Use Auto-Tagging to Automate Security Actions

    Follow these steps to automatically tag the users or IP addresses associated with a log entry and enforce users and IP addresses based on behavior and activity.
    Use auto-tagging selectively. It is designed for tagging a small number of users or IP addresses based on specific log categories—not for large volumes of traffic. To maintain performance and avoid unintended policy impact, limit auto-tag filters to a narrow set of logs.

    Use Auto-Tagging to Automate Security Actions (Strata Cloud Manager)

    Automatically tag the users or IP addresses associated with a log entry and enforce users and IP addresses based on behavior and activity.
    1. Set up an auto-tag action rule.
      1. Select ConfigurationNGFW and Prisma AcccessObjectsAuto-Tag Actions.
      2. Add Rule and specify a Name, Log Type, and Filter criteria for this action.
      3. (Optional) Choose whether you want to add devices that match this rule to the quarantine list.
      4. Next, Add Tagging Rule.
      5. Give your tagging rule a Name, specify the Target, choose an Action (Add Tag or Remove Tag), and associate one of the existing Tags with your rule or create a new tag.
      6. (Optional) Configure a timeout to remove the tag from the policy object after the specified time has elapsed.
        Specify the amount of time (in minutes) that passes before the tag is removed from the policy object. The range is from 0 to 4,320. If you set the timeout to zero, the IP address-to-tag mapping does not timeout and must be removed with an explicit action. If you set the timeout to the maximum of 4,320 minutes, the tag is removed after 30 days.
        You cannot configure a Timeout with a Remove Tag action.
      7. Select Save.
    2. Use your auto-tag action rule to populate a dynamic address group or a dynamic user group.
      1. Create or select one of the following policy objects:
      2. Enter the tags you want to apply to the object as the Match criteria.
        Confirm that the tag is identical to the tag in Step 1.
    3. Add the dynamic user group to a security rule.
      This workflow uses a Security policy as an example, but you can also use tagged policy objects in Authentication policy.
      1. Select ConfigurationNGFW and Prisma AccessSecurity ServicesSecurity Policy.
      2. Select Add Rule and enter a Name and optionally a Description for the policy.
      3. Add the Source Zone where the traffic originates.
      4. Add the Destination Zone where the traffic terminates.
      5. Select the Source object you created in Step 2.1.
      6. Select whether the rule will Allow or Deny the traffic.

    Use Auto-Tagging to Automate Security Actions (PAN-OS & Panorama)

    Configure the firewall or Panorama to automatically tag policy objects and automate security actions.
    Redistribute the mappings across your network by registering the IP address-to-tag and user-to-tag mappings to a PAN-OS integrated User-ID agent on the firewall or Panorama or to a remote User-ID agent using an HTTP server profile. The firewall can automatically remove (unregister) a tag associated with an IP address or user when you configure a timeout as part of a built-in action for a log forwarding profile or as part of log forwarding settings. For example, if the firewall detects a user has potentially compromised credentials, you could configure the firewall to require MFA authentication for that user for a given period of time, then configure a timeout to remove the user from the MFA requirement group.
    1. Depending on the type of log you want to use for tagging, create a log forwarding profile or configure the log settings to define how you want the firewall or Panorama to handle logs.
      • For Authentication, Data, Threat, Traffic, Tunnel Inspection, URL, and WildFire logs, create a log forwarding profile.
      • For User-ID, GlobalProtect, and IP-Tag logs, configure the log settings.
    2. Define the match list criteria that determine when the firewall or Panorama adds the tag to the policy object.
      For example, you can use a filter to configure a threshold or define a value (such as user eq “unknown” to identify users that the firewall has not yet mapped); when the firewall reaches that threshold or finds that value, the firewall adds the tag.
      • To create a log forwarding profile, Add it and select the Log Type you want to monitor for match list criteria (ObjectsLog Forwarding).
      • To configure log settings, Add the log settings for the type of log you want to monitor for match list criteria (DeviceLog Settings).
    3. Copy and paste a Filter value or use the Filter Builder to define the match criteria for the tag.
    4. (Remote User-ID only) Configure an HTTP server profile to forward logs to a remote User-ID agent.
      1. Select DeviceServer ProfilesHTTP.
      2. Add a profile and specify a Name for the server profile.
      3. (Virtual systems only) Select the Location. The profile can be Shared across all virtual systems or can belong to a specific virtual system.
      4. Select Tag Registration to enable the firewall to register the IP address and tag mapping with the User-ID agent on a remote firewall. With tag registration enabled, you cannot specify the payload format.
      5. Add the server connection details to access the remote User-ID agent and click OK.
      6. Select the log forwarding profile you created then select this server profile as the HTTP server profile for your Remote User-ID tag Registration.
    5. Define the policy objects to which you want to apply the tags.
      1. Create or select one of the following policy objects: dynamic address groups, dynamic user groups, addresses, address groups, zones, security rules, services, or service groups.
      2. Enter the tags you want to apply to the object as the Match criteria.
        Confirm that the tag is identical to the tag in Step 4.
    6. Add the tagged policy objects to your policy.
      This workflow uses a Security policy as an example, but you can also use tagged policy objects in Authentication policy.
      1. Select PoliciesSecurity.
      2. Click Add and enter a Name and optionally a Description for the policy.
      3. Add the Source Zone where the traffic originates.
      4. Add the Destination Zone where the traffic terminates.
      5. Select the Source object you created in Step 5.1.
      6. Select whether the rule will Allow or Deny the traffic.
    7. If you configured a log forwarding profile, assign it to your Security policy.
      You can assign one log forwarding profile for each policy but you can assign multiple methods and actions per profile. For an example, refer to Use Dynamic Address Groups in Policy.
    8. Commit your changes.
    9. (Optional) Configure a timeout to remove the tag from the policy object after the specified time has elapsed.
      Specify the amount of time (in minutes) that passes before the firewall removes the tag from the policy object. The range is from 0 to 43,200. If you set the timeout to zero, the IP address-to-tag mapping does not timeout and must be removed with an explicit action. If you set the timeout to the maximum of 43,200 minutes, the firewall removes the tag after 30 days.
      You cannot configure a Timeout with a Remove Tag action.
      1. Select the log forwarding profile.
      2. Add or edit one of the Built-in Actions.
      3. Specify the Timeout (in minutes). When the specified time has elapsed, the firewall or Panorama removes the tag.
        Set the IP-tag timeout to the same amount of time as the DHCP lease timeout for that IP address. This allows the IP address-to-tag mapping to expire at the same time as the DHCP lease so that you do not unintentionally apply policy when the IP address is reassigned.
      4. Click OK and Commit your changes.

    © 2026 Palo Alto Networks, Inc. All rights reserved.