Real-Time Enforcement and Expanded Capacities for Dynamic Address Groups

Virtualization, cloud computing, and IoT have increased the frequency and amount of dynamic changes in the network. To ensure that your network is protected, the firewall can now update the registered IP addresses in a dynamic address group-based policy in real time. For example, if you have a containerized environment for software delivery where workloads can scale up or down and start sending business-critical traffic in a matter of seconds, you can use dynamic address groups in policy to secure these workloads as soon as they begin passing traffic. As soon as the firewall receives a tag fora container's source IP address, it can compile the associated dynamic address groups and allow or block traffic based on your Security policy rules in real time. Similarly, if an IoT device or user device joins the network, the firewall can update dynamic address groups and enforce policy in real time to secure the traffic from the device. Additionally, to support the large number of IP addresses generated by IoT devices, virtual machines, and containers, some firewall models now support a higher capacity for registering IP addresses. (See Use Dynamic Address Groups in Policy for the registered IP address capacity of each firewall model.)

IP-Tag Log

It is now easier to view the IP address-to-tag mapping with the addition of the IP-tag log on the firewall web interface. This log displays the time when a source IP address is registered or unregistered with the firewall and what tags are associated with that IP addressalong with the source from which the firewall learned the IP address-to-tag mapping information.
Additionally, you can generate custom reports based on IP-tag logs or forward IP-tag logs to Panorama and Log Collectors and external service.
Due to the large number of IP-tag logs generated by the firewall, we do not recommend forwarding the logs to an external service using email or SNMP.
Column
Description
Receive Time
The time that the event was logged on the firewall.
Virtual System
The virtual system (vsys) to which the tag is registered.
Source IPAddress
The IP address on which a tag was applied or removed.
Tag
Displays the tag that was applied or removed.
Event
The type of event that occurred. Possible values are
register
and
unregister
.
Timeout
The amount of time, in minutes, that elapses before the tag is unregistered automatically.
Source Name
The source of the IP address-to-tag mapping information. Possible source names are
XML API
,
AGENT
, and
HA
. See Register IP Addresses and Tags Dynamically for more information about the IP address-to-tag mapping sources.
Source Type
The type of source that provided the IP address-to-tag mapping information. Possible source types are
unknown
,
xml-api
,
ha
, and
vm-monitor
.
ip-tag-log.png

IP-Tag Timeout

Auto-tagging allows the firewall to tag the source or destination IP address when a log is generated on the firewall and establish IP address-to-tag mapping. The firewall can now automatically remove a tag associated with an IP address, so you no longer need to make an explicit action to remove a tag. You can configure a timeout as part of a built-in action for a log forwarding profile or as part of log forwarding settings (
Device
Log Settings
). Configure the timeout, in minutes, from zero (0) minutes to 30 days (43,200 minutes). If you set the timeout to zero (0), the IP address-to-tag mapping does not timeout and must be removed with an explicit action.
  1. Log in to the firewall web interface.
  2. Select
    Objects
    Log Forwarding
    .
  3. Select an existing Log Forwarding Profile or
    Add
    a new one.
  4. Click
    Add
    .
  5. Under Built-in Actions, click
    Add
    .
  6. Configure an Action.
    1. Enter a descriptive Name.
    2. Select
      Source Address
      or
      Destination Address
      from the
      Target
      drop-down.
    3. Select
      Add Tag
      as the
      Action
      . IP-tag timeout does not work with the
      Remove Tag
      action.
    4. (
      New in PAN-OS 9.0
      ) Select whether to register the IP address-to-tag mapping to the
      Local User-ID
      agent on the firewall or Panorama or to a
      Remote User-ID
      agent.
    5. Set the
      Timeout
      in minutes.
    6. Select the
      Tags
      to apply or remove from the target IP address.
    ip-tag-timeout.png

Recommended For You