Tag Based Rule Groups

View your policy rulebase as tag groups.
Tags allow you to identify the purpose or function of a rule, and help you better organize your rulebase. PAN-OS 9.0 replaces the tag browser with the Tag Based Rule Groups, and introduces the ability to assign group tags to rules. After your rules are assigned to a tag group, you can view the rulebase as tag groups to visually group rules based on the tagging structure you created. When viewing the rulebase as tag groups, you can perform operational procedures such as adding, deleting or moving the rules in the selected tag group more easily. Viewing the rulebase as tag groups maintains the rule evaluation order. A single tag may appear multiple times throughout the rulebase in order to visually preserve the rule hierarchy.
In order to assign a group tag to a rule, you must first create the tag and assign it to a policy rule on upgrade to PAN-OS 9.0. Policy rules that are already tagged have the first tag automatically assigned as the Group tag. Before upgrading to PAN-OS 9.0, review the tagged rules in your rulebase to ensure rules are correctly grouped upon upgrade. You must manually edit each tag rule and configure the correct Group tag if your rules are grouped incorrectly once you upgrade to PAN-OS 9.0.
  1. Log in to the firewall web interface.
  2. Create the tags you want to use for grouping rules.
  3. Assign a policy rule to a tag group.
    1. Create a policy rule. Refer to Policy in the PAN-OS Admin Guide for more information on creating policy rules.
    2. In the Group Rules by Tag field, select the tag from the drop-down and click OK.
    3. Commit the changes.
  4. View your policy rulebase as groups.
    1. (Panorama only) From the Device Group drop-down, select the device group rulebase to view, or view all Shared rules.
    2. Click Policies and select the rulebase where you created the rules in Step 3.
    3. Check the View Rulebase as Groups box at the bottom.
      Rules not assigned a tag group display as None.
  5. Perform Group operations as needed.
    1. Click Group to perform group operations for rules in the selected tag group.
      • (Panorama only) Move rules in group to a different rulebase or device group—Move all policy rules in the selected tag group to the Pre-Rulebase or Post-Rulebase, or to a different device group.
      • Change group of all rules—Move all rules in the selected tag group to a different tag group.
      • Delete all rules in group—Delete all rules in the selected tag group.
      • Clone all rules in group—Clone all rules in the selected tag group.
    2. Commit the changes.

Related Documentation