Register IP Addresses and Tags Dynamically

To mitigate the challenges of scale, lack of flexibility and performance, the architecture in networks today allows for virtual machines and applications to be provisioned, changed, and deleted on demand. This agility poses a challenge for security administrators because they have limited visibility into the IP addresses of the dynamically provisioned VMs, and the plethora of applications that can be enabled on these virtual resources.
The firewall (hardware-based models and the VM-Series) supports the ability to register IP addresses and tags dynamically. The IP addresses and tags can be registered on the firewall directly or registered on the firewall through Panorama. You can also automatically remove tags on the source or destination IP address included in a firewall log.
This dynamic registration process can be enabled using any of the following options:
  • User-ID agent for Windows—In an environment where you’ve deployed the User-ID agent, you can enable the User-ID agent to monitor up to 100 VMware ESXi and/or vCenter Servers. As you provision or modify virtual machines on these VMware servers, the agent can retrieve the IP address changes and share them with the firewall.
  • VM Information Sources—Allows you to monitor VMware ESXi, vCenter Server, AWS-VPCs, or Google Compute Engines natively on the firewall, to retrieve IP address changes when you provision or modify virtual machines on these sources. For monitoring virtual machines in your Microsoft Azure deployment, you can deploy the VM Monitoring script that runs on a virtual machine within the Azure public cloud. This script collects the IP address-to-tag mapping for all your Azure assets and uses the API to push the VM information to your Palo Alto Networks® firewall(s). VM Information Sources polls for a predefined set of attributes and does not require external scripts to register the IP addresses through the XML API. See Monitor Changes in the Virtual Environment.
  • Panorama Plugin—Allows you to enable a Panorama hardware appliance or Panorama virtual appliance to connect to your Azure or AWS public cloud environment and retrieve information on the virtual machines deployed within your subscription or VPC. Panorama then registers the VM information to the managed Palo Alto Networks® firewall(s) that you have configured for notification, and you can use the attributes to define Dynamic Address Groups and attach them to Security policy rules to allow or deny traffic to/from these VMs.
  • VMware Service Manager (only available for the integrated NSX solution)—The integrated NSX solution is designed for automated provisioning and distribution of Palo Alto Networks next-generation security services and the delivery of dynamic context-based security policies using Panorama. The NSX Manager updates Panorama with the latest information on the IP addresses and tags associated with the virtual machines deployed in this integrated solution. For information on this solution, see Set Up a VM-Series NSX Edition Firewall.
  • XML API—The firewall and Panorama support an XML API that uses standard HTTP requests to send and receive data. You can use this API to register IP addresses and tags with the firewall or Panorama. API calls can be made directly from command line utilities such as cURL or using any scripting or application framework that supports REST-based services. Refer to the PAN-OS XML API Usage Guide for details.
  • Auto-Tag— Tag the source or destination IP address automatically when a log is generated on the firewall, and register the IP address and tag mapping to a User-ID agent on the firewall or Panorama, or to a remote User-ID agent using an HTTP server profile. For example, whenever the firewall generates a threat log, you can configure the firewall to tag the source IP address in the threat log with a specific tag name.
    Additionally, you can configure the firewall to dynamically unregister a tag after configured amount of time using a timeout. For example, you can configure the timeout to same duration as the IP address’ DHCP lease timeout.This allows the IP to tag mapping to expire at the same time as the DHCP lease, so that you do not the unintentionally apply policy when the IP address is reassigned.
For information on creating and using Dynamic Address Groups, see Use Dynamic Address Groups in Policy.
For the CLI commands for registering tags dynamically, see CLI Commands for Dynamic IP Addresses and Tags.

Related Documentation