: Policy Rulebase Management Using Tags
Focus
Focus

Policy Rulebase Management Using Tags

Table of Contents
End-of-Life (EoL)

Policy Rulebase Management Using Tags

Create and assign tags to policies rules in your policy rulebase to visually group and perform operation procedures based to groups of policy rules.
Tags allow you to identify the purpose or function of a policy rule and help you better organize your policy rulebase. PAN-OS 11.0.3 introduces the ability to visually group and manage your policy rulebase using the assigned tags from the Tag Browser. When viewing your policy rulebase using tags, you can perform operation procedures such as adding, deleting, or moving the rules with the applied tag more easily. Viewing your policy rulebase using tags maintains the rule evaluation order.
For firewalls managed by a Panorama management server, you can create and assign tags to policy rules from Panorama. Both Panorama, managed firewalls, and standalone firewalls running PAN-OS 11.0.3 or later 11.0 release support policy rulebase base management using tags. Policy rulebase management using tags is supported for all policy types.
  1. Log in to the Panorama or firewall web interface.
  2. Create and apply tags to the policy rules you created.
    You must apply tags to the policy rule Tag field and not the Group Rules by Tag field.
  3. Select Policies and change the policy rulebase view from the Default View to Rulebase by Tags.
    On the left-hand size, the Tag Browser is displayed and all tags applied to all rules in the policy rulebase, the number of policy rules with the tag applied, and the Rule Number indicating the rule order for all policy rules within the policy rulebase with the tag applied.
  4. Select the Tag Browser display settings.
    1. (Optional) Use the search bar to search for a specific tag.
    2. Keep enabled or disable Filter by first tag in rule.
      When enabled, the Tag Browser displays the Rule Count and Rule Number data based on the first tag applied to each policy rule when multiple tags are applied. When disabled, the Tag Browser displays total Rule Count and Rule Number data when multiple tags are applied to your policy rules.
    3. Select how to order tags in the Tag Browser.
      • Rule Order—Order the policy rule tag data in the Tag Browser data based on how policy rules are ordered in the policy rulebase. This may mean that a tag applied to multiple policy rules will display multiple times in the Tag Browser if the tagged policy rules are dispersed throughout the policy rulebase.
      • Alphabetical—Order the policy rule tag data in the Tag Browser based on the alphabetical order of applied tags.
  5. Apply or remove tags from the Tag Browser.
    The Tag Browser allows you to both apply a tag to policy rules within the policy rulebase, and remove a tag from all policy rules where the tag is currently applied.
    • Apply a tag from the Tag Browser
    You can also drag and drop tags you want to apply from the Tag Browser to the policy rule you want to apply it to.
    1. In the policy rulebase, select one or more policy rules that you want to apply a tag to.
    2. In the Tag Browser Tag (Rule Count) column, select one or more tags you want to apply to the selected policy rules.
    3. Expand the tag options and Apply Tag to the Selection(s).
      Review which tags you are apply to the selected policy rules and click Yes to apply the tags.
    • Remove tags from the Tag Browser
    1. In the Tag Browser Rule Number column, expand the tag options and Untag Rule(s).
    2. A confirm window is displayed to confirm you want to untag your policy rules.
      You can remove the tags from only the selected policy rules or check Untag all the rules with the selected tag to remove the tag from all policy rules with the tag.
    3. Click Yes to untag all policy rules that have the selected tag applied.
  6. Move tagged rules within your the policy rulebase.
    You can use the Tag Browser to move multiple tagged rules at once to change the policy rulebase hierarchy as needed.
    1. Select the Rule Order Tag Browser display setting.
    2. In the Tag Browser Rule Number column, expand the tag options and Move Rule(s).
      Alternatively, you can drag and drop rules to reorder them in the policy rulebase.
    3. Select the tag around which you want to move.
    4. Move Before or Move After as needed.
  7. Add a new policy rule from the Tag Browser.
    You can add a new policy rule with tags already assigned directly from the Tag Browser. The new policy rule is added as the lowest rule in the rule order based on the selected tag.
    1. Select the Rule Order Tag Browser display setting.
    2. In the Tag Browser Rule Number column, expand the tag options and Add New Rule and configure the policy rule as needed.
  8. Filter the policy rulebase using a tag.
    In the Tag Browser Rule Number column, expand the tag options and Filter the policy rulebase. This allows you to apply one or more tag search filters to the policy rulebase to narrow down the list of policy rules displayed.