Configure the firewall or Panorama to automatically tag
policy objects and automate security actions.
Auto-tagging allows the firewall or Panorama
to tag a policy object when it receives a log that matches specific
criteria and establish IP address-to-tag or user-to-tag mapping.
For example, when the firewall generates a threat log, you can configure
the firewall to tag the source IP address or source user in the
threat log with a specific tag name. You can then use these tags
to automatically populate policy objects such as dynamic user groups
or dynamic address groups, which can then be used to automate security
actions in security, authentication, or decryption policies. For
example, when you create a filter for the URL logs for
column, you can apply
a tag to the user that enforces an authentication policy that requires
user to authenticate using multi-factor authentication (MFA).
user groups do not support auto-tagging from HIP Match logs.
the mappings across your network by registering the IP address-to-tag
and user-to-tag mappings to a PAN-OS integrated User-ID agent on the
firewall or Panorama or to a remote User-ID agent using an HTTP
server profile. The firewall can automatically remove (unregister)
a tag associated with an IP address or user when you configure a
timeout as part of a built-in action for a log forwarding profile
or as part of log forwarding settings. For example, if the firewall detects
a user has potentially compromised credentials, you could configure
the firewall to require MFA authentication for that user for a given
period of time, then configure a timeout to remove the user from
the MFA requirement group.
Depending on the type of log you want to use for tagging,
create a log forwarding profile or
configure the log settings to define
how you want the firewall or Panorama to handle logs.
For Authentication, Data, Threat, Traffic, Tunnel
Inspection, URL, and WildFire logs, create a log forwarding profile.
For User-ID, GlobalProtect, and IP-Tag logs, configure the
Define the match list criteria that determine when the
firewall or Panorama adds the tag to the policy object.
For example, you can use a filter to configure a threshold
or define a value (such as
user eq “unknown”
identify users that the firewall has not yet mapped); when the firewall
reaches that threshold or finds that value, the firewall adds the
To create a log forwarding profile,
and select the
you want to monitor
for match list criteria (
To configure log settings,
log settings for the type of log you want to monitor for match list
Copy and paste a
or use the
to define the match
criteria for the tag.
Remote User-ID only
) Configure an HTTP server
profile to forward logs to a remote User-ID agent.
a profile and specify a
the server profile.
Virtual systems only
) Select the
The profile can be
across all virtual
systems or can belong to a specific virtual system.
enable the firewall to register the IP address and tag mapping with
the User-ID agent on a remote firewall. With tag registration enabled,
you cannot specify the payload format.
the server connection details
to access the remote User-ID agent and click
Select the log forwarding profile you created then
select this server profile as the HTTP server profile for your
Define the policy objects to which you want to apply
Enter the tags you want to apply to the object as
Confirm that the tag is identical to the tag in Step 4.
Add the tagged policy objects to your policy.
This workflow uses a Security policy as an example, but you
can also use tagged policy objects in Authentication policy.
and enter a
for the policy.
the traffic terminates.
created in Step 5.1.
Select whether the rule will
If you configured a log forwarding profile, assign it
to your Security policy.
You can assign one log forwarding profile for each policy
but you can assign multiple methods and actions per profile. For
an example, refer to Use Dynamic Address Groups in Policy.
(Optional) Configure a timeout to remove the tag from
the policy object after the specified time has elapsed.
Specify the amount of time (in minutes) that passes before
the firewall removes the tag from the policy object. The range is
from 0 to 43,200. If you set the timeout to zero, the IP address-to-tag
mapping does not timeout and must be removed with an explicit action.
If you set the timeout to the maximum of 43,200 minutes, the firewall removes
the tag after 30 days.
You cannot configure a Timeout with
Select the log forwarding profile.
or edit one of the
(in minutes). When
the specified time has elapsed, the firewall or Panorama removes
Set the IP-tag timeout to the same amount of time as
the DHCP lease timeout for that IP address. This allows the IP address-to-tag
mapping to expire at the same time as the DHCP lease so that you
do not unintentionally apply policy when the IP address is reassigned.