Register IP Addresses and Tags Dynamically
To mitigate the challenges of scale, lack of flexibility and performance, the architecture in networks today allows for virtual machines and applications to be provisioned, changed, and deleted on demand. This agility poses a challenge for security administrators because they have limited visibility into the IP addresses of the dynamically provisioned VMs, and the plethora of applications that can be enabled on these virtual resources.
The firewall (hardware-based models and the VM-Series) supports the ability to register IP addresses and tags dynamically. The IP addresses and tags can be registered on the firewall directly or registered on the firewall through Panorama. You can also automatically remove tags on the source or destination IP address included in a firewall log.
This dynamic registration process can be enabled using any of the following options:
- User-ID agent for Windows—In an environment where you’ve deployed the User-ID agent, you can enable the User-ID agent to monitor up to 100 VMware ESXi and/or vCenter Servers. As you provision or modify virtual machines on these VMware servers, the agent can retrieve the IP address changes and share them with the firewall.
- VM Information Sources—Allows you to monitor VMware ESXi, vCenter Server, AWS-VPCs, or Google Compute Engines natively on the firewall, to retrieve IP address changes when you provision or modify virtual machines on these sources. For monitoring virtual machines in your Microsoft Azure deployment, you can deploy the VM Monitoring script that runs on a virtual machine within the Azure public cloud. This script collects the IP address-to-tag mapping for all your Azure assets and uses the API to push the VM information to your Palo Alto Networks® firewall(s). VM Information Sources polls for a predefined set of attributes and does not require external scripts to register the IP addresses through the XML API. See Monitor Changes in the Virtual Environment.
- Panorama Plugin—Allows you to enable a Panorama hardware appliance or Panorama virtual appliance to connect to your Azure or AWS public cloud environment and retrieve information on the virtual machines deployed within your subscription or VPC. Panorama then registers the VM information to the managed Palo Alto Networks® firewall(s) that you have configured for notification, and you can use the attributes to define Dynamic Address Groups and attach them to Security policy rules to allow or deny traffic to/from these VMs.
- VMware Service Manager (only available for the integrated NSX solution)—The integrated NSX solution is designed for automated provisioning and distribution of Palo Alto Networks next-generation security services and the delivery of dynamic context-based security policies using Panorama. The NSX Manager updates Panorama with the latest information on the IP addresses and tags associated with the virtual machines deployed in this integrated solution. For information on this solution, see Set Up a VM-Series NSX Edition Firewall.
- XML API—The firewall and Panorama support an XML API that uses standard HTTP requests to send and receive data. You can use this API to register IP addresses and tags with the firewall or Panorama. API calls can be made directly from command line utilities such as cURL or using any scripting or application framework that supports REST-based services. Refer to the PAN-OS XML API Usage Guide for details.
- Auto-Tag— Tag the source or destination IP address automatically when a log is generated on the firewall, and register the IP address and tag mapping to a User-ID agent on the firewall or Panorama, or to a remote User-ID agent using an HTTP server profile. For example, whenever the firewall generates a threat log, you can configure the firewall to tag the source IP address in the threat log with a specific tag name.Additionally, you can configure the firewall to dynamically unregister a tag after configured amount of time using a timeout. For example, you can configure the timeout to same duration as the IP address’ DHCP lease timeout.This allows the IP to tag mapping to expire at the same time as the DHCP lease, so that you do not the unintentionally apply policy when the IP address is reassigned.
For information on creating and using Dynamic Address Groups, see Use Dynamic Address Groups in Policy.
For the CLI commands for registering tags dynamically, see CLI Commands for Dynamic IP Addresses and Tags.
Attributes Monitored on Virtual Machines in Cloud Platforms
Learn about the attributes monitored on ESXi instances. ...
Use Dynamic Address Groups in Policy
Use Dynamic Address Groups in Policy Dynamic address groups are used in policy. They allow you to create policy that automatically adapts to changes—adds, moves, ...
Use Tags to Group and Visually Distinguish Objects
Use Tags to Group and Visually Distinguish Objects You can tag objects to group related items and add color to the tag in order to ...
Enable VM Monitoring to Track Changes on the Virtual Network
Enable VM Monitoring to Track Changes on the Virtual Network VM information sources provides an automated way to gather information on the Virtual Machine (VM) ...
Set Up the Azure Plugin for VM Monitoring on Panorama
To start collecting IP address-to-tag mapping, set up the VM Monitoring agent to execute as a cron task. ...
About Panorama Plugins
Panorama supports integrations with these services through the extensible plugin architecture. ...
Objects > Address Groups
Objects > Address Groups To simplify the creation of security policies, addresses that require the same security settings can be combined into address groups. An ...
CLI Commands for Dynamic IP Addresses and Tags
CLI Commands for Dynamic IP Addresses and Tags The Command Line Interface on the firewall and Panorama give you a detailed view into the different ...
List of Attributes Monitored on the AWS VPC
List of Attributes Monitored on the AWS VPC As you provision or modify virtual machines in your AWS VPCs, you have two ways of monitoring ...