Real-Time Enforcement and Expanded Capacities for Dynamic Address Groups

Virtualization, cloud computing, and IoT have increased the frequency and amount of dynamic changes in the network. To ensure that the network is protected, the firewall can now update the registered IP addresses in a dynamic address group-based (DAG) policy in real time. For example, if you have a containerized environment for software delivery, where workloads can scale up or down and start sending business-critical traffic in a matter of seconds, you can use dynamic address groups in policy to secure such workloads as soon as they begin passing traffic. As soon as the firewall receives a tag on container's source IP address, it can compile the associated DAGs and allow or block traffic based on security policy rules in real time. Similarly, if an IoT device or user device joins the network, the firewall can update DAGs and enforce policy in real time to secure the traffic from the device. And to support the large number of IP addresses generated by IoT devices, virtual machines, and containers, select firewall models now support a higher capacity for registering IP addresses. See Use Dynamic Address Groups in Policy for the registered IP address capacity of each firewall model.

IP-Tag Log

It is now easier to view the IP address-to-tag mapping with the addition of the IP-tag log on the firewall web interface. This log displays the time when a source IP address is registered or unregistered with the firewall and what tags are associated with that IP address, and the source from which the firewall learned the IP address-to-tag mapping information.
Additionally, you can generate custom reports based on IP-tag logs or forward IP-tag logs to Panorama and Log Collectors and external service.
Due to the large number of IP-tag logs generated by the firewall, forwarding the logs using email or SNMP to an external service is not recommended.
ColumnDescription
Receive TimeThe time that the event was logged with the firewall.
Virtual SystemThe virtual system (vsys) to which the tag is registered.
Source IP-AddressThe IP address on which a tag applied or removed.
TagDisplays the tag that was applied or removed.
EventThe type of event that occurred. Possible values are register and unregister.
TimeoutThe amount of time, in minutes, that elapses before the tag is unregistered automatically.
Source NameThe source of the IP address-to-tag mapping information. Possible source names are XML API, AGENT, and HA. See Register IP Addresses and Tags Dynamically for more information about the IP-to-tag mapping sources.
Source TypeThe type of source that provided the IP address-to-tag mapping information. Possible source types are unknown, xml-api, ha, and vm-monitor.
ip-tag-log.png

IP-Tag Timeout

Auto-tagging allows the firewall to a tag the source or destination IP address when a log is generated on the firewall and establish IP address-to-tag mapping. The firewall can now automatically remove a tag associated with an IP address, so you no longer need to make an explicit action to remove a tag. You can configure a timeout as part of a built-in action for a log forwarding profile or as part of log forwarding settings (DeviceLog Settings). Configure the timeout, in minutes, from zero (0) minutes to 30 days (43,200 minutes). If you set the timeout to zero (0), the IP address to tag mapping does not timeout and must be removed with an explicit action.
  1. Log in to the firewall web interface.
  2. Select ObjectsLog Forwarding.
  3. Select an existing Log Forwarding Profile or click Add to create a new one.
  4. Click Add.
  5. Under Built-in Actions, click Add.
  6. Configure an Action.
    1. Enter a descriptive Name.
    2. Select Source Address or Destination Address from the Target drop-down.
    3. Select Add Tag as the Action. IP-tag timeout does not work with the Remove Tag action.
    4. (New in PAN-OS 9.0) Select whether to register the IP address-to-tag mapping to the Local User-ID agent on the firewall or Panorama or to a Remote User-ID agent.
    5. Set the Timeout in minutes.
    6. Select the Tags apply or remove from the target IP address.
    ip-tag-timeout.png

Related Documentation