1. Home
    2. PAN-OS
    3. PAN-OS® Web Interface Reference Guide
    4. Objects
    5. Objects > Tags
    End-of-Life (EoL)
    Previous
    Next
    Tags allow you to group objects using keywords or phrases. Tags can be applied to address objects, address groups (static and dynamic), zones, services, service groups, and to policy rules. You can use a tags to sort or filter objects, and to visually distinguish objects because they can have color. When a color is applied to a tag, the Policy tab displays the object with a background color.
    A predefined tag named Sanctioned is available for tagging applications ( Objects > Applications). These tags are required for accurately Monitor > PDF Reports > SaaS Application Usage.
    What do you want to know? See:
    How do I create tags? Create Tags
    What is the tag browser? Use the Tag Browser
    Search for rules that are tagged. Manage Tags
    Group rules using tags.
    View tags used in policy.
    Apply tags to policy.
    Looking for more? See Policy .
    Create Tags
    Select Objects > Tags to create a tag, assign a color, delete, rename, and clone tags. Each object can have up to 64 tags; when an object has multiple tags, it displays the color of the first tag applied to it.
    On the firewall, the Objects > Tags tab displays the tags that you define locally on the firewall or push from Panorama to the firewall; on Panorama, it displays the tags that you define on Panorama. This tab does not display the tags that are dynamically retrieved from the VM Information sources defined on the firewall for forming dynamic address groups, or tags that are defined using the XML API.
    When you create a new tag, the tag is automatically created in the Virtual System or Device Group that is currently selected on the firewall or Panorama.
    Tag Setting Description
    Name Enter a unique tag name (up to 127 characters). The name is not case-sensitive.
    Shared Select this option if you want the tag to be available to: Every virtual system (vsys) on a multi-vsys firewall. If you clear this selection, the tag will be available only to the Virtual System selected in the Objects tab. Every device group on Panorama. If you clear this selection, the tag will be available only to the Device Group selected in the Objects tab.
    Disable override ( Panorama only ) Select this option if you want to prevent administrators from creating local copies of the tag in descendant device groups by overriding its inherited values. This selection is cleared by default, which means overriding is enabled.
    Color Select a color from the color palette in the drop-down. The default value is None.
    Comments Add a label or description to remind you what the tag is used for.
    Add a tag —To add a new tag, click Add and then fill in the following fields:
    You can also create a new tag when you create or edit policy in the Policies tab. The tag is automatically created in the Device Group or Virtual System that is currently selected.
    Edit a tag —To edit, rename, or assign a color to a tag, click the tag name that displays as a link and modify the settings. Delete a tag —To delete a tag, click Delete and select the tag in the window. You cannot delete a predefined tag. Move or Clone a tag —The option to move to clone a tag allows you copy a tag or move the tag to a different Device Group or Virtual System on firewalls enabled for multiple virtual systems.
    Click Clone or Move and select the tag in the window. Select the Destination location—Device Group or Virtual System—for the tag. Clear this selection for Error out on first detected error in validation if you want the validation process to discover all the errors for the object before displaying the errors. By default, this option is enabled and the validation process stops when the first error is detected and only displays the error.
    Override or Revert a tag (Panorama only)—The Override option is available if you have not selected the Disable override option when creating the tag. It allows you to override the color assigned to the tag that was inherited from a shared or ancestor device group. The Location field displays the current device group. You can also select the Disable override to disable further overrides.
    To undo the changes on a tag, click Revert. When you revert a tag, the Location field displays the device group or virtual system from where the tag was inherited.
    Use the Tag Browser
    Policies > Rulebase (Security, NAT, QoS...)
    The tag browser presents a summary of all the tags used within a rulebase (policy set). It allows you to see a list of all the tags and the order in which they are listed in the rulebase.
    You can sort, browse, search, and filter for a specific tag, or view only the first tag applied to each rule in the rulebase.
    The following table describes the tag browser options.
    Tag Browser Option Description
    Tag (#) Displays the label and the rule number or range of numbers in which the tag is used contiguously. Hover over the label to see the location where the rule was defined. The location can be inherited from the Shared location, a device group, or a virtual system.
    Rule Lists the rule number or range of numbers associated with the tags.
    Filter by first tag in rule Displays only the first tag applied to each rule in the rulebase, when selected. This view is particularly useful if you want to narrow the list and view related rules that might be spread around the rulebase. For example, if the first tag in each rule denotes its function—administration, web-access, datacenter access, proxy—you can narrow the result and scan the rules based on function.
    Rule Order Sorts the tags in the order of appearance within the selected rulebase. When displayed in order of appearance, tags used in contiguous rules are grouped together. The rule number with which the tag is associated is displayed along with the tag name.
    Alphabetical Sorts the tags in alphabetical order within the selected rulebase. The display lists the tag name, color (if a color is assigned), and the number of times it is used within the rulebase. The label None represents rules without any tags; it does not display rule numbers for untagged rules. When you select None, the right pane is filtered to display rules that have no tags assigned to them.
    Clear Clears the filter on the currently selected tags in the search bar.
    Search bar Allows you to search for a tag, enter the term and click the green arrow to apply the filter. It also displays the total number of tags in the rulebase and the number of selected tags.
    For other actions, see Manage Tags.
    Manage Tags
    The following table lists the actions you can perform using the tag browser.
    Manage Tags
    Tag a rule. Select a rule on the right pane. Do one of the following: Select a tag in the tag browser and, from the drop-down, Apply the Tag to the Selection(s). Drag and drop tags from the tag browser on to the tag column of the rule. When you drop the tags, a confirmation dialog displays.
    View the currently selected tags. Select one or more tags in the tag browser. The tags are filtered using an OR operator. The right pane updates to display the rules that have any of the selected tags. To view the currently selected tags, hover over the Clear label in the tag browser.
    View rules that match the selected tags. You can filter rules based on tags with an AND or an OR operator. OR filter —To view rules that have specific tags, select one or more tags in the tag browser. The right pane will display only the rules that include the currently selected tags. AND filter —To view rules that have all the selected tags, hover over the number in the Rule column of the tag browser and select Filter in the drop-down. Repeat to add more tags.
    Click the in the search bar on the right pane. The results are displayed using an AND operator.
    Untag a rule. Hover over the rule number in the Rule column of the tag browser and select Untag Rule(s) in the drop-down. Confirm that you want to remove the selected tag from the rule.
    Reorder a rule using tags. Select one or more tags and hover over the rule number in the Rule column of the tag browser and select Move Rule(s) in the drop-down. Select a tag from the drop-down in the move rule window and select whether you want to Move Before or Move After the tag selected in the drop-down.
    Add a new rule that applies the selected tags. Select one or more tags, hover over the rule number in the Rule column of the tag browser, and select Add New Rule in the drop-down. The numerical order of the new rule varies by whether you selected a rule on the right pane. If no rule was selected on the right pane, the new rule will be added after the rule to which the selected tag(s) belongs. Otherwise, the new rule is added after the selected rule.
    Search for a tag. In the tag browser, enter the first few letters of the tag name you want to search for and click to display the tags that match your input.
    Previous
    Next

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo