Register IP Addresses and Tags Dynamically
Describes the available methods to register IP addresses
and tags dynamically on the firewall or Panorama.
To mitigate the challenges of scale, lack of flexibility,
and performance, network architectures today allow for virtual machines
(VMs) and applications to be provisioned, changed, and deleted on
demand. This agility, though, poses a challenge for security administrators
because they have limited visibility into the IP addresses of the
dynamically provisioned VMs and the plethora of applications that
can be enabled on these virtual resources.
Firewalls (hardware-based and VM-Series models) support the ability
to register IP addresses, IP sets (IP ranges and subnets), and tags
dynamically. The IP addresses and tags can be registered on the
firewall directly or from Panorama. You can also automatically remove
tags on the source and destination IP addresses included in a firewall
log.
PAN-OS only supports IPv4 IP subnets and ranges in dynamic address
groups.
You can enable the dynamic registration process using any of
the following options:
User-ID agent for Windows—In an environment where
you’ve deployed the User-ID agent, you can enable the User-ID agent
to monitor up to 100 VMware ESXi servers, vCenter Servers, or a
combination of the two. As you provision or modify virtual machines
on these VMware servers, the agent can retrieve the IP address changes
and share them with the firewall.
VM Information Sources—Enables you to monitor VMware
ESXi, vCenter Server, AWS-VPCs, and Google Compute Engines natively
on the firewall and to retrieve IP address changes when you provision or
modify virtual machines on these sources. VM Information Sources
option polls for a predefined set of attributes and does not require
external scripts to register the IP addresses through the XML API.
See
Monitor Changes in the Virtual Environment.
Panorama Plugin—You can enable a Panorama™ M-Series
or virtual appliance to connect to your Azure or AWS public cloud
environment and retrieve information on the virtual machines deployed
within your subscription or VPC. Panorama then registers the VM
information to the managed Palo Alto Networks firewalls that you
configured for notification and then you can use these attributes
to define dynamic address groups and attach them to Security policy
rules to allow or deny traffic to and from these VMs.
VMware Service Manager (
Integrated NSX solutions only)—The
integrated NSX solution is designed for automated provisioning and
distribution of the Palo Alto Networks Next-Generation Security
Operating Platform® and the delivery of dynamic context-based Security
policies using Panorama. The NSX Manager updates Panorama with the
latest information on the IP addresses, IP sets, and tags associated
with the virtual machines deployed in this integrated solution.
For information on this solution, see
Set Up a VM-Series NSX Edition Firewall.
XML API—The firewall and Panorama support an XML API that
uses standard HTTP requests to send and receive data. You can use
this API to register IP addresses and tags with the firewall or
Panorama. You can make API calls directly from command-line utilities,
such as cURL, or by using any scripting or application framework
that supports REST-based services. Refer to the
PAN-OS XML API Usage Guide for
details.
Auto-Tag—Tag the source or destination IP address
automatically when a log is generated on the firewall and register
the IP address and tag mapping to a User-ID agent on the firewall
or on Panorama, or to a remote User-ID agent using an HTTP server
profile. For example, whenever the firewall generates a threat log,
you can configure the firewall to tag the source IP address in the
threat log with a specific tag name. For more information, refer to
Use Auto-Tagging to Automate Security Actions.
Additionally,
you can configure the firewall to dynamically unregister a tag after
a configured amount of time using a timeout. For example, you can configure
the timeout to be the same duration as the DHCP lease timeout for the
IP address. This allows the IP address-to-tag mapping to expire
at the same time as the DHCP lease so that you don’t unintentionally
apply policy when the IP address is reassigned.