Register IP Addresses and Tags Dynamically
To mitigate the challenges of scale, lack of flexibility, and performance, network architecturestoday allow for virtual machines (VMs) and applications to be provisioned, changed, and deleted on demand. This agility,though, poses a challenge for security administrators because they have limited visibility into the IP addresses of the dynamically provisioned VMs and the plethora of applications that can be enabled on these virtual resources.
Firewalls (hardware-based and VM-Series models) support the ability to register IP addresses and tags dynamically. The IP addresses and tags can be registered on the firewall directly or from Panorama. You can also automatically remove tags on the source and destination IP addresses included in a firewall log.
You can enable the dynamic registration process using any of the following options:
- User-ID agent for Windows—In an environment where you’ve deployed the User-ID agent, you can enable the User-ID agent to monitor up to 100 VMware ESXi servers, vCenter Servers, or a combination of the two. As you provision or modify virtual machines on these VMware servers, the agent can retrieve the IP address changes and share them with the firewall.
- VM Information Sources—Enables you to monitor VMware ESXi, vCenter Server, AWS-VPCs, and Google Compute Engines natively on the firewalland to retrieve IP address changes when you provision or modify virtual machines on these sources. For monitoring virtual machines in your Microsoft Azure deployment, you can deploy the VM Monitoring script that runs on a virtual machine within the Azure public cloud. This script collects the IP address-to-tag mapping for all your Azure assets and uses the API to push the VM information to your Palo Alto Networks firewalls. VM Information Sources option polls for a predefined set of attributes and does not require external scripts to register the IP addresses through the XML API. See Monitor Changes in the Virtual Environment.
- Panorama Plugin—You can enable a Panorama™M-Seriesor virtual appliance to connect to your Azure or AWS public cloud environment and retrieve information on the virtual machines deployed within your subscription or VPC. Panorama then registers the VM information to the managed Palo Alto Networks firewalls that you configured for notification and then you can use these attributes to define dynamic address groups and attach them to Security policy rules to allow or deny traffic to and from these VMs.
- VMware Service Manager(Integrated NSX solutions only)—The integrated NSX solution is designed for automated provisioning and distribution of the Palo Alto Networks Next-Generation Security OperatingPlatform® and the delivery of dynamic context-based Security policies using Panorama. The NSX Manager updates Panorama with the latest information on the IP addresses and tags associated with the virtual machines deployed in this integrated solution. For information on this solution, see Set Up a VM-Series NSX Edition Firewall.
- XML API—The firewall and Panorama support an XML API that uses standard HTTP requests to send and receive data. You can use this API to register IP addresses and tags with the firewall or Panorama. You can make API calls directly from command-line utilities such, as cURL, or by using any scripting or application framework that supports REST-based services. Refer to the PAN-OS XML API Usage Guide for details.
- Auto-Tag—Tag the source or destination IP address automatically when a log is generated on the firewall and register the IP address and tag mapping to a User-ID agent on the firewall or on Panorama, or to a remote User-ID agent using an HTTP server profile. For example, whenever the firewall generates a threat log, you can configure the firewall to tag the source IP address in the threat log with a specific tag name.Additionally, you can configure the firewall to dynamically unregister a tag after a configured amount of time using a timeout. For example, you can configure the timeout to be the same duration as the DHCP lease timeout for the IP address.This allows the IP address-to-tag mapping to expire at the same time as the DHCP lease so that you don’t unintentionally apply policy when the IP address is reassigned.
For information on creating and using Dynamic Address Groups, see Use Dynamic Address Groups in Policy.
For the CLI commands for registering tags dynamically, see CLI Commands for Dynamic IP Addresses and Tags.