Objects > Address Groups
To simplify the creation of security policies, addresses that require the same security settings can be combined into address groups. An address group can be static or dynamic.
- Dynamic Address Groups: A dynamic address group populates its members dynamically using looks ups for tags and tag-based filters. Dynamic address groups are very useful if you have an extensive virtual infrastructure where changes in virtual machine location/IP address are frequent. For example, you have a sophisticated failover setup or provision new virtual machines frequently and would like to apply policy to traffic from or to the new machine without modifying the configuration/rules on the firewall.To use a dynamic address group in policy you must complete the following tasks:
Dynamic address groups can also include statically defined address objects. If you create an address object and apply the same tags that you have assigned to a dynamic address group, that dynamic address group will include all static and dynamic objects that match the tags. You can, therefore use tags to pull together both dynamic and static objects in the same address group.
- Define a dynamic address group and reference it in a policy rule.
- Notify the firewall of the IP addresses and the corresponding tags, so that members of the dynamic address group can be formed. You can do this using external scripts that use the XML API on the firewall or, for a VMware-based environment, you can select DeviceVM Information Sources to configure settings on the firewall.
- Static Address Groups: A static address group can include address objects that are static, dynamic address groups, or it can be a combination of both address objects and dynamic address groups.To create an address group, click Add and fill in the following fields:
Address Group Settings
Enter a name that describes the address group (up to 63 characters). This name appears in the address list when defining security policies. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Select this option if you want the address group to be available to:
Disable override (Panorama only)
Select this option to prevent administrators from overriding the settings of this address group object in device groups that inherit the object. This selection is cleared by default, which means administrators can override the settings for any device group that inherits the object.
Enter a description for the object (up to 255 characters).
Select Static or Dynamic.
To create a dynamic address group, use the match criteria is assemble the members to be included in the group. Define the Match criteria using the AND or OR operators.
To view the list of attributes for the match criteria, you must have configured the firewall to access and retrieve the attributes from the source/host. Each virtual machine on the configured information source(s) is registered with the firewall and the firewall can poll the machine to retrieve changes in IP address or configuration without any modifications on the firewall.
For a static address group, click Add and select one or more Addresses. Click Add to add an object or an address group to the address group. The group can contain address objects, and both static and dynamic address groups.
Select or enter the tags that you wish to apply to this address group. For information on tags, see Objects > Tags.
Members Count and Address
After you add an address group, the Members Count column on the ObjectsAddress Groups page indicates whether the objects in the group are populated dynamically or statically.
Use Dynamic Address Groups in Policy
Use Dynamic Address Groups in Policy Dynamic address groups are used in policy. They allow you to create policy that automatically adapts to changes—adds, moves, ...
Set Up Security Groups on the NSX Manager
Set Up Security Groups on the NSX Manager A security group is a logical container that assembles guests across multiple ESXi hosts in the cluster. ...
Apply Policies to the VM-Series Firewall
Apply Security Policies to the VM-Series Firewall Now that you have created the steering rules on Panorama and pushed them to the NSX Manager, you ...
Use Tags to Group and Visually Distinguish Objects
Use Tags to Group and Visually Distinguish Objects You can tag objects to group related items and add color to the tag in order to ...
Policy Enforcement using Dynamic Address Groups
Policy Enforcement using Dynamic Address Groups Unlike the other versions of the VM-Series firewall, because both virtual wire interfaces (and subinterfaces) belong to the same ...
Use Case: Shared Compute Infrastructure and Shared Security...
Use Case: Shared Compute Infrastructure and Shared Security Policies This use case allows you to logically isolate traffic from two tenants that share an ESXi ...
Action-Oriented Log Forwarding using HTTP
Action-Oriented Log Forwarding using HTTP To enable better integration between your firewall and IT infrastructure, you can now trigger an action or initiate a workflow ...
Use Case: Use Dynamic Address Groups to Secure New EC2 Inst...
Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC In a dynamic environment such as the AWS-VPC where you launch ...
Configure a Notify Group
Configure a Notify Group Panorama > Notify Group The following table describes Panorama notify group settings. Notify Group Settings Description Name Enter a descriptive name ...