Register IP Addresses and Tags Dynamically

• User-ID agent for Windows—In an environment where you’ve deployed the User-ID agent, you can enable the User-ID agent to monitor up to 100 VMware ESXi servers, vCenter Servers, or a combination of the two. As you provision or modify virtual machines on these VMware servers, the agent can retrieve the IP address changes and share them with the firewall.
• VM Information Sources—Enables you to monitor VMware ESXi, vCenter Server, AWS-VPCs, and Google Compute Engines natively on the firewall and to retrieve IP address changes when you provision or modify virtual machines on these sources. VM Information Sources option polls for a predefined set of attributes and does not require external scripts to register the IP addresses through the XML API. See Monitor Changes in the Virtual Environment.
• Panorama Plugin—You can enable a Panorama™ M-Series or virtual appliance to connect to your Azure or AWS public cloud environment and retrieve information on the virtual machines deployed within your subscription or VPC. Panorama then registers the VM information to the managed Palo Alto Networks firewalls that you configured for notification and then you can use these attributes to define dynamic address groups and attach them to Security policy rules to allow or deny traffic to and from these VMs.
• VMware Service Manager (Integrated NSX solutions only)—The integrated NSX solution is designed for automated provisioning and distribution of the Palo Alto Networks Next-Generation Security Operating Platform® and the delivery of dynamic context-based Security policies using Panorama. The NSX Manager updates Panorama with the latest information on the IP addresses, IP sets, and tags associated with the virtual machines deployed in this integrated solution. For information on this solution, see Set Up a VM-Series NSX Edition Firewall.
• XML API—The firewall and Panorama support an XML API that uses standard HTTP requests to send and receive data. You can use this API to register IP addresses and tags with the firewall or Panorama. You can make API calls directly from command-line utilities, such as cURL, or by using any scripting or application framework that supports REST-based services. Refer to the PAN-OS XML API Usage Guide for details.
• Auto-Tag—Tag the source or destination IP address automatically when a log is generated on the firewall and register the IP address and tag mapping to a User-ID agent on the firewall or on Panorama, or to a remote User-ID agent using an HTTP server profile. For example, whenever the firewall generates a threat log, you can configure the firewall to tag the source IP address in the threat log with a specific tag name. For more information, refer to Use Auto-Tagging to Automate Security Actions.
  Additionally, you can configure the firewall to dynamically unregister a tag after a configured amount of time using a timeout. For example, you can configure the timeout to be the same duration as the DHCP lease timeout for the IP address. This allows the IP address-to-tag mapping to expire at the same time as the DHCP lease so that you don’t unintentionally apply policy when the IP address is reassigned.
  See Forward Logs to an HTTP(S) Destination.