PAN-OS® Web Interface Reference Guide
  1. Home
  2. PAN-OS
  3. PAN-OS® Web Interface Reference Guide
  4. Objects
  5. Objects > Tags
Previous
Next
Tags allow you to group objects using keywords or phrases. Tags can be applied to address objects, address groups (static and dynamic), zones, services, service groups, and to policy rules. You can use a tags to sort or filter objects, and to visually distinguish objects because they can have color. When a color is applied to a tag, the Policy tab displays the object with a background color.
A predefined tag named Sanctioned is available for tagging applications ( Objects > Applications). These tags are required for accurately Monitor > PDF Reports > SaaS Application Usage.
What do you want to know? See:
How do I create tags? Create Tags
What is the tag browser? Use the Tag Browser
Search for rules that are tagged. Manage Tags
Group rules using tags.
View tags used in policy.
Apply tags to policy.
Looking for more? See Policy .
Create Tags
Select Objects > Tags to create a tag, assign a color, delete, rename, and clone tags. Each object can have up to 64 tags; when an object has multiple tags, it displays the color of the first tag applied to it.
On the firewall, the Objects > Tags tab displays the tags that you define locally on the firewall or push from Panorama to the firewall; on Panorama, it displays the tags that you define on Panorama. This tab does not display the tags that are dynamically retrieved from the VM Information sources defined on the firewall for forming dynamic address groups, or tags that are defined using the XML API.
When you create a new tag, the tag is automatically created in the Virtual System or Device Group that is currently selected on the firewall or Panorama.
Tag Setting Description
Name Enter a unique tag name (up to 127 characters). The name is not case-sensitive.
Shared Select this option if you want the tag to be available to: Every virtual system (vsys) on a multi-vsys firewall. If you clear this selection, the tag will be available only to the Virtual System selected in the Objects tab. Every device group on Panorama. If you clear this selection, the tag will be available only to the Device Group selected in the Objects tab.
Disable override ( Panorama only ) Select this option if you want to prevent administrators from creating local copies of the tag in descendant device groups by overriding its inherited values. This selection is cleared by default, which means overriding is enabled.
Color Select a color from the color palette in the drop-down. The default value is None.
Comments Add a label or description to remind you what the tag is used for.
Add a tag —To add a new tag, click Add and then fill in the following fields:
You can also create a new tag when you create or edit policy in the Policies tab. The tag is automatically created in the Device Group or Virtual System that is currently selected.
Edit a tag —To edit, rename, or assign a color to a tag, click the tag name that displays as a link and modify the settings. Delete a tag —To delete a tag, click Delete and select the tag in the window. You cannot delete a predefined tag. Move or Clone a tag —The option to move to clone a tag allows you copy a tag or move the tag to a different Device Group or Virtual System on firewalls enabled for multiple virtual systems.
Click Clone or Move and select the tag in the window. Select the Destination location—Device Group or Virtual System—for the tag. Clear this selection for Error out on first detected error in validation if you want the validation process to discover all the errors for the object before displaying the errors. By default, this option is enabled and the validation process stops when the first error is detected and only displays the error.
Override or Revert a tag (Panorama only)—The Override option is available if you have not selected the Disable override option when creating the tag. It allows you to override the color assigned to the tag that was inherited from a shared or ancestor device group. The Location field displays the current device group. You can also select the Disable override to disable further overrides.
To undo the changes on a tag, click Revert. When you revert a tag, the Location field displays the device group or virtual system from where the tag was inherited.
Use the Tag Browser
Policies > Rulebase (Security, NAT, QoS...)
The tag browser presents a summary of all the tags used within a rulebase (policy set). It allows you to see a list of all the tags and the order in which they are listed in the rulebase.
You can sort, browse, search, and filter for a specific tag, or view only the first tag applied to each rule in the rulebase.
The following table describes the tag browser options.
Tag Browser Option Description
Tag (#) Displays the label and the rule number or range of numbers in which the tag is used contiguously. Hover over the label to see the location where the rule was defined. The location can be inherited from the Shared location, a device group, or a virtual system.
Rule Lists the rule number or range of numbers associated with the tags.
Filter by first tag in rule Displays only the first tag applied to each rule in the rulebase, when selected. This view is particularly useful if you want to narrow the list and view related rules that might be spread around the rulebase. For example, if the first tag in each rule denotes its function—administration, web-access, datacenter access, proxy—you can narrow the result and scan the rules based on function.
Rule Order Sorts the tags in the order of appearance within the selected rulebase. When displayed in order of appearance, tags used in contiguous rules are grouped together. The rule number with which the tag is associated is displayed along with the tag name.
Alphabetical Sorts the tags in alphabetical order within the selected rulebase. The display lists the tag name, color (if a color is assigned), and the number of times it is used within the rulebase. The label None represents rules without any tags; it does not display rule numbers for untagged rules. When you select None, the right pane is filtered to display rules that have no tags assigned to them.
Clear Clears the filter on the currently selected tags in the search bar.
Search bar Allows you to search for a tag, enter the term and click the green arrow to apply the filter. It also displays the total number of tags in the rulebase and the number of selected tags.
For other actions, see Manage Tags.
Manage Tags
The following table lists the actions you can perform using the tag browser.
Manage Tags
Tag a rule. Select a rule on the right pane. Do one of the following: Select a tag in the tag browser and, from the drop-down, Apply the Tag to the Selection(s). Drag and drop tags from the tag browser on to the tag column of the rule. When you drop the tags, a confirmation dialog displays.
View the currently selected tags. Select one or more tags in the tag browser. The tags are filtered using an OR operator. The right pane updates to display the rules that have any of the selected tags. To view the currently selected tags, hover over the Clear label in the tag browser.
View rules that match the selected tags. You can filter rules based on tags with an AND or an OR operator. OR filter —To view rules that have specific tags, select one or more tags in the tag browser. The right pane will display only the rules that include the currently selected tags. AND filter —To view rules that have all the selected tags, hover over the number in the Rule column of the tag browser and select Filter in the drop-down. Repeat to add more tags.
Click the in the search bar on the right pane. The results are displayed using an AND operator.
Untag a rule. Hover over the rule number in the Rule column of the tag browser and select Untag Rule(s) in the drop-down. Confirm that you want to remove the selected tag from the rule.
Reorder a rule using tags. Select one or more tags and hover over the rule number in the Rule column of the tag browser and select Move Rule(s) in the drop-down. Select a tag from the drop-down in the move rule window and select whether you want to Move Before or Move After the tag selected in the drop-down.
Add a new rule that applies the selected tags. Select one or more tags, hover over the rule number in the Rule column of the tag browser, and select Add New Rule in the drop-down. The numerical order of the new rule varies by whether you selected a rule on the right pane. If no rule was selected on the right pane, the new rule will be added after the rule to which the selected tag(s) belongs. Otherwise, the new rule is added after the selected rule.
Search for a tag. In the tag browser, enter the first few letters of the tag name you want to search for and click to display the tags that match your input.
Previous
Next

Related Documentation

Use the Tag Browser

Use the Tag Browser The tag browser provides a way to view all the tags used within a rulebase. In rulebases with a large number ...

Create and Apply Tags

Create and Apply Tags Create and Apply Tags Create tags. To tag a zone, you must create a tag with the same name as the ...

Use Tags to Group and Visually Distinguish Objects

Use Tags to Group and Visually Distinguish Objects You can tag objects to group related items and add color to the tag in order to ...

Modify Tags

Modify Tags Modify Tags Select Objects > Tags to perform any of the following operations with tags: Click the link in the Name column to ...

Use Dynamic Address Groups in Policy

Use Dynamic Address Groups in Policy Dynamic address groups are used in policy. They allow you to create policy that automatically adapts to changes—adds, moves, ...

Policies > Security

Policies > Security Security policies reference security zones and enable you to allow, restrict, and track traffic on your network based on the application, user ...

Objects > Addresses

Objects > Addresses An address object can include an IPv4 or IPv6 address (single IP, range, subnet) or a FQDN. It allows you to reuse ...

Policy Types

Policy Types Policies allow you to control firewall operation by enforcing rules and automatically taking action. The following types of policies are supported: Basic security ...

Objects > Address Groups

Objects > Address Groups To simplify the creation of security policies, addresses that require the same security settings can be combined into address groups. An ...

CLI Commands for Dynamic IP Addresses and Tags

CLI Commands for Dynamic IP Addresses and Tags The Command Line Interface on the firewall and Panorama give you a detailed view into the different ...

© 2019 Palo Alto Networks, Inc. All rights reserved.