Real-Time Enforcement and Expanded Capacities for Dynamic Address
Virtualization, cloud computing, and IoT have increased the frequency and amount of dynamic changes in the network. To ensure that your network is protected, the firewall can now update the registered IP addresses in a dynamic address group-based policy in real time. For example, if you have a containerized environment for software delivery where workloads can scale up or down and start sending business-critical traffic in a matter of seconds, you can use dynamic address groups in policy to secure these workloads as soon as they begin passing traffic. As soon as the firewall receives a tag fora container's source IP address, it can compile the associated dynamic address groups and allow or block traffic based on your Security policy rules in real time. Similarly, if an IoT device or user device joins the network, the firewall can update dynamic address groups and enforce policy in real time to secure the traffic from the device. Additionally, to support the large number of IP addresses generated by IoT devices, virtual machines, and containers, some firewall models now support a higher capacity for registering IP addresses. (See Use Dynamic Address Groups in Policy for the registered IP address capacity of each firewall model.)
It is now easier to view the IP address-to-tag mapping with the addition of the IP-tag log on the firewall web interface. This log displays the time when a source IP address is registered or unregistered with the firewall and what tags are associated with that IP addressalong with the source from which the firewall learned the IP address-to-tag mapping information.
Due to the large number of IP-tag logs generated by the firewall, we do not recommend forwarding the logs to an external service using email or SNMP.
The time that the event was logged on the firewall.
The virtual system (vsys) to which the tag is registered.
The IP address on which a tag was applied or removed.
Displays the tag that was applied or removed.
The type of event that occurred. Possible values are
The amount of time, in minutes, that elapses before the tag is unregistered automatically.
The source of the IP address-to-tag mapping information. Possible source names are
HA. See Register IP Addresses and Tags Dynamically for more information about the IP address-to-tag mapping sources.
The type of source that provided the IP address-to-tag mapping information. Possible source types are
Auto-tagging allows the firewall to tag the source or destination IP address when a log is generated on the firewall and establish IP address-to-tag mapping. The firewall can now automatically remove a tag associated with an IP address, so you no longer need to make an explicit action to remove a tag. You can configure a timeout as part of a built-in action for a log forwarding profile or as part of log forwarding settings (
). Configure the timeout, in minutes, from zero (0) minutes to 30 days (43,200 minutes). If you set the timeout to zero (0), the IP address-to-tag mapping does not timeout and must be removed with an explicit action.
- Log in to the firewall web interface.
- Select.ObjectsLog Forwarding
- Select an existing Log Forwarding Profile orAdda new one.
- Under Built-in Actions, clickAdd.
- Configure an Action.
- Enter a descriptive Name.
- SelectSource AddressorDestination Addressfrom theTargetdrop-down.
- SelectAdd Tagas theAction. IP-tag timeout does not work with theRemove Tagaction.
- (New in PAN-OS 9.0) Select whether to register the IP address-to-tag mapping to theLocal User-IDagent on the firewall or Panorama or to aRemote User-IDagent.
- Set theTimeoutin minutes.
- Select theTagsto apply or remove from the target IP address.