Real-Time Enforcement and Expanded Capacities for Dynamic Address Groups
Virtualization, cloud computing, and IoT have increased the frequency and amount of dynamic changes in the network. To ensure that the network is protected, the firewall can now update the registered IP addresses in a dynamic address group-based (DAG) policy in real time. For example, if you have a containerized environment for software delivery, where workloads can scale up or down and start sending business-critical traffic in a matter of seconds, you can use dynamic address groups in policy to secure such workloads as soon as they begin passing traffic. As soon as the firewall receives a tag on container's source IP address, it can compile the associated DAGs and allow or block traffic based on security policy rules in real time. Similarly, if an IoT device or user device joins the network, the firewall can update DAGs and enforce policy in real time to secure the traffic from the device. And to support the large number of IP addresses generated by IoT devices, virtual machines, and containers, select firewall models now support a higher capacity for registering IP addresses. See Use Dynamic Address Groups in Policy for the registered IP address capacity of each firewall model.
It is now easier to view the IP address-to-tag mapping with the addition of the IP-tag log on the firewall web interface. This log displays the time when a source IP address is registered or unregistered with the firewall and what tags are associated with that IP address, and the source from which the firewall learned the IP address-to-tag mapping information.
Additionally, you can generate custom reports based on IP-tag logs or forward IP-tag logs to Panorama and Log Collectors and external service.
Due to the large number of IP-tag logs generated by the firewall, forwarding the logs using email or SNMP to an external service is not recommended.
|Receive Time||The time that the event was logged with the firewall.|
|Virtual System||The virtual system (vsys) to which the tag is registered.|
|Source IP-Address||The IP address on which a tag applied or removed.|
|Tag||Displays the tag that was applied or removed.|
|Event||The type of event that occurred. Possible values are register and unregister.|
|Timeout||The amount of time, in minutes, that elapses before the tag is unregistered automatically.|
|Source Name||The source of the IP address-to-tag mapping information. Possible source names are XML API, AGENT, and HA. See Register IP Addresses and Tags Dynamically for more information about the IP-to-tag mapping sources.|
|Source Type||The type of source that provided the IP address-to-tag mapping information. Possible source types are unknown, xml-api, ha, and vm-monitor.|
Auto-tagging allows the firewall to a tag the source or destination IP address when a log is generated on the firewall and establish IP address-to-tag mapping. The firewall can now automatically remove a tag associated with an IP address, so you no longer need to make an explicit action to remove a tag. You can configure a timeout as part of a built-in action for a log forwarding profile or as part of log forwarding settings (DeviceLog Settings). Configure the timeout, in minutes, from zero (0) minutes to 30 days (43,200 minutes). If you set the timeout to zero (0), the IP address to tag mapping does not timeout and must be removed with an explicit action.
- Log in to the firewall web interface.
- Select ObjectsLog Forwarding.
- Select an existing Log Forwarding Profile or click Add to create a new one.
- Click Add.
- Under Built-in Actions, click Add.
- Configure an Action.
- Enter a descriptive Name.
- Select Source Address or Destination Address from the Target drop-down.
- Select Add Tag as the Action. IP-tag timeout does not work with the Remove Tag action.
- (New in PAN-OS 9.0) Select whether to register the IP address-to-tag mapping to the Local User-ID agent on the firewall or Panorama or to a Remote User-ID agent.
- Set the Timeout in minutes.
- Select the Tags apply or remove from the target IP address.
The IP-tag log displays information about when a tag to IP address mapping is registered or unregistered on the firewall. ...
Objects > Log Forwarding
Objects > Log Forwarding By default, the logs that the firewall generates reside only in its local storage. However, you can use Panorama™, the Logging ...
Panorama > Log Settings
Panorama > Log Settings Use the Log Settings page to forward the following log types to external services: System, Configuration, User-ID, and Correlation logs that ...
Select Log Forwarding Destinations
Select Log Forwarding Destinations Device Log Settings The Log Settings page allows you to configure log forwarding to: Panorama, SNMP trap receivers, email servers, Syslog ...
Collector Group Configuration
Collector Group Configuration To configure a Collector Group , click Add and complete the following fields. Collector Group Settings Configured In Description Name Panorama Collector ...
Forward Logs to an HTTP(S) Destination
Forward Logs to an HTTP(S) Destination The firewall and Panorama can forward logs to an HTTP server. You can choose to forward all logs or ...
Log Types and Severity Levels
Log Types and Severity Levels You can see the following log types in the Monitor Logs pages. Traffic Logs Threat Logs URL Filtering Logs WildFire ...
Register IP Addresses and Tags Dynamically
Register IP Addresses and Tags Dynamically To mitigate the challenges of scale, lack of flexibility and performance, the architecture in networks today allows for virtual ...