Use Auto-Tagging to Automate Security Actions
Configure the firewall or Panorama to automatically tag policy objects and automate security actions.
Auto-tagging allows the firewall or Panorama to tag a policy object when it receives a log that matches specific criteria and establish IP address-to-tag or user-to-tag mapping. For example, when the firewall generates a threat log, you can configure the firewall to tag the source IP address or source user in the threat log with a specific tag name. You can then use these tags to automatically populate policy objects such as dynamic user groups or dynamic address groups, which can then be used to automate security actions in security, authentication, or decryption policies. For example, when you create a filter for the URL logs for
Credential Detectedcolumn, you can apply a tag to the user that enforces an authentication policy that requires user to authenticate using multi-factor authentication (MFA).
Dynamic user groups do not support auto-tagging from HIP Match logs.
Redistribute the mappings across your network by registering the IP address-to-tag and user-to-tag mappings to a PAN-OS integrated User-ID agent on the firewall or Panorama or to a remote User-ID agent using an HTTP server profile. The firewall can automatically remove (unregister) a tag associated with an IP address or user when you configure a timeout as part of a built-in action for a log forwarding profile or as part of log forwarding settings. For example, if the firewall detects a user has potentially compromised credentials, you could configure the firewall to require MFA authentication for that user for a given period of time, then configure a timeout to remove the user from the MFA requirement group.
- For Authentication, Data, Threat, Traffic, Tunnel Inspection, URL, and WildFire logs, create a log forwarding profile.
- For User-ID, GlobalProtect, and IP-Tag logs, configure the log settings.
- Define the match list criteria that determine when the firewall or Panorama adds the tag to the policy object.For example, you can use a filter to configure a threshold or define a value (such asuser eq “unknown”to identify users that the firewall has not yet mapped); when the firewall reaches that threshold or finds that value, the firewall adds the tag.
- To create a log forwarding profile,Addit and select theLog Typeyou want to monitor for match list criteria ().ObjectsLog Forwarding
- To configure log settings,Addthe log settings for the type of log you want to monitor for match list criteria ().DeviceLog Settings
- Copy and paste aFiltervalue or use theFilter Builderto define the match criteria for the tag.
- Add a built-in action to tag the policy object.
- AddtheBuilt-in Actionsyou want the firewall or Panorama to take when the logs contain an entry that meets the match list criteria.
- Namethe action.
- Select the type ofTargetthat you want to tag (Destination Address,Source Address,User, orX-Forwarded-For Address).
- Confirm thatAdd Tagis theAction.
- Select theRegistrationsource for the tag to determine how the firewall or Panorama redistributes the IP address-to-tag mapping.
- Local User-ID—Redistribute the IP address-to-tag mapping on the User-ID agent on the firewall or Panorama.
- Panorama User-ID—Redistribute the IP address-to-tag mapping on Panorama.
- Remote User-ID—Redistribute the IP address-to-tag mapping on another User-ID agent using an HTTP server profile. If you select this option, you must configure an HTTP server profile (see Step 5).
- Enter or select theTagsyou want to add to the policy object.You may need to click outside of the field or press Enter to enable theOKbutton.
- (Remote User-ID only) Configure an HTTP server profile to forward logs to a remote User-ID agent.
- Select.DeviceServer ProfilesHTTP
- Adda profile and specify aNamefor the server profile.
- (Virtual systems only) Select theLocation. The profile can beSharedacross all virtual systems or can belong to a specific virtual system.
- SelectTag Registrationto enable the firewall to register the IP address and tag mapping with the User-ID agent on a remote firewall. With tag registration enabled, you cannot specify the payload format.
- Addthe server connection details to access the remote User-ID agent and clickOK.
- Select the log forwarding profile you created then select this server profile as the HTTP server profile for yourRemote User-IDtagRegistration.
- Define the policy objects to which you want to apply the tags.
- Enter the tags you want to apply to the object as theMatchcriteria.Confirm that the tag is identical to the tag in Step 4.
- Add the tagged policy objects to your policy.This workflow uses a Security policy as an example, but you can also use tagged policy objects in Authentication policy.
- ClickAddand enter aNameand optionally aDescriptionfor the policy.
- Add theSource Zonewhere the traffic originates.
- Add theDestination Zonewhere the traffic terminates.
- Select theSourceobject you created in Step 5.1.
- Select whether the rule willAlloworDenythe traffic.
- If you configured a log forwarding profile, assign it to your Security policy.
- Commityour changes.
- (Optional) Configure a timeout to remove the tag from the policy object after the specified time has elapsed.Specify the amount of time (in minutes) that passes before the firewall removes the tag from the policy object. The range is from 0 to 43,200. If you set the timeout to zero, the IP address-to-tag mapping does not timeout and must be removed with an explicit action. If you set the timeout to the maximum of 43,200 minutes, the firewall removes the tag after 30 days.You cannot configure a Timeout with aRemove Tagaction.
- Select the log forwarding profile.
- Addor edit one of theBuilt-in Actions.
- Specify theTimeout(in minutes). When the specified time has elapsed, the firewall or Panorama removes the tag.Set the IP-tag timeout to the same amount of time as the DHCP lease timeout for that IP address. This allows the IP address-to-tag mapping to expire at the same time as the DHCP lease so that you do not unintentionally apply policy when the IP address is reassigned.
- ClickOKandCommityour changes.
Recommended For You
Recommended videos not found.