>
    Strata Copilot
    Configuration: IP Tag Collection
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Cloud Manager
    3. Strata Cloud Manager Getting Started
    4. Configuration: Strata Cloud Manager
    5. Configuration: IP Tag Collection
    Download PDF
    Strata Cloud Manager

    Configuration: IP Tag Collection

    Table of Contents

    Configuration: IP Tag Collection

    Automate cloud IP-Tag collection and distribution in Strata™ Cloud Manager to enable dynamic security policies for your cloud workloads.
    Where Can I Use This?What Do I Need?
    • NGFW
    • NGFW (Managed by Strata Cloud Manager)
    • Cloud NGFW
    • Strata Cloud Manager Essentials with Strata Logging Service
    • VM-Series Firewall Funded with Software NGFW Credits or Prisma AIRS AI Runtime Firewall
    • Network Administrator or Superuser role on the Customer Support Portal
    IP-Tag Harvesting in Strata Cloud Manager (SCM) enables your firewalls to dynamically receive IP-to-Tag mapping information from cloud providers. This feature organizes cloud workload information into Dynamic Address Groups (DAGs) within your security policies. This allows you to create security policies based on logical tags rather than static IP addresses, ensuring your policies automatically adapt as cloud workloads scale. This approach eliminates the manual effort of updating security rules for constantly changing cloud environments.
    SCM acts as the central management platform for configuring and orchestrating IP-Tag Harvesting. You onboard your cloud accounts, such as AWS, Azure, or GCP, to SCM. This onboarding process, either manual with credentials or automated via Terraform, establishes the necessary permissions for SCM to access cloud provider APIs and harvest IP-Tag data. You then define Distribution Profiles in SCM, specifying firewall dynamic address group membership and roles (contributor or receiver). Additionally, you can harvest IP tags from Zero Networks; this allows you to collect tags for integrated policy.
    IP-Tag Distribution Profiles enable your security policies to dynamically adapt to scaling cloud workloads. Firewalls (VM-Series, Prisma AIRS Runtime Firewall, and Cloud NGFW) use these profiles to participate in IP-Tag distribution, defining their roles as contributors or receivers. This mechanism dynamically applies security policies to your cloud resources based on IP tags, adapting to ephemeral cloud environments.
    You have two options to configure IP-Tag Collection—Terraform templates (recommended) or by manually entering the required information. Zero Networks integration does not support Terraform template configurations.

    Terraform (Recommended)

    Automate cloud IP-Tag collection and distribution in Strata™ Cloud Manager to enable dynamic security policies using Terraform templates.
    This procedure guides you through connecting SCM to your cloud environment for IP-Tag collection using Terraform templates.
    1. Log in to SCM.
    2. Select Configuration IP-Tag Collection
    3. On the IP-Tag Collection page, select Add New Cloud Account.
    4. Select your cloud service provider.
    5. Select Connect via Terraform (Recommended).
    6. Enter a descriptive Name.
    7. Enter the information, depending on your cloud service provider
      • AWS—Enter the Role Name associated with your AWS account.
      • Azure—Enter your Azure Tenant ID and Subscription ID.
      • CGP—Enter your GCP Project ID and Service Account.
    8. Click Next: Integrate Cloud Account to continue.
    9. Download your Terraform template.
      • If you are familiar with Terraform click the Download Terraform.
      • If you are new to Terraform, follow the Guided Steps.
    10. Click Save Configuration.
    11. Verify the cloud service provider account connection status. A successful connection ensures that SCM can communicate with your cloud environment and begin the tag discovery process.

    Configure Tag Distribution

    1. Create a new Tag Distribution for your onboarded AWS account.
      1. On the IP-Tag Collection page, choose a successfully connected cloud account.
      2. Click + Distribute.
    2. Define the scope for tag collection. Specifying regions and VPCs ensures that only relevant IP-to-tag mappings are collected, optimizing performance and data relevance for your security policies.
      1. Enter a descriptive Name.
      2. Enter a Polling Interval in seconds.
      3. Select Regions and VPC (AWS only).
      4. Optional For Azure deployments, select Fetch Service Tags. For more information about Azure service tag and Palo Alto Networks firewalls, see Attributes Monitored on Azure
    3. Select Tag Destination folders containing the firewalls intended to receive the IP-to-tag mappings. Specify the target for tag distribution.
    4. Save the Tag Distribution configuration. Saving the distribution settings makes them active within SCM, preparing them for deployment to your firewalls.
    5. Push the configuration to your firewall.
      1. Navigate to ConfigurationPush Config.
      2. Select the relevant Admin Scope and Folder.
      3. Select Push. This synchronizes the cloud integration and harvested IP-to-tag mappings from Strata Cloud Manager to your managed firewalls, enabling granular Layer 7 security policies based on real-time asset classifications.

    AWS

    Automate cloud IP-Tag collection and distribution in Strata™ Cloud Manager to enable dynamic security policies for your AWS workloads.
    This procedure guides you through connecting SCM to your cloud environment for IP-Tag collection and configuring Tag Distribution.
    1. Log in to SCM.
    2. Select Configuration IP-Tag Collection
    3. Onboard a cloud service provider account using manual credentials. This connects SCM to you public cloud environment, allowing SCM to discover and collect IP-Tag mappings.
      1. On the IP-Tag Collection page, select Add New Cloud Account.
      2. Select your cloud service provider.
      3. Select Connect via Enter Credentials Manually option.
      4. Enter a descriptive Name.
      5. Enter your AWS Access Key ID, Secret Access Key, and confirm the Secret Access Key.
      6. Optional Enter Role ARN Name and Role ARN Value. Click Open CFT to open the cloud formation templates for more information about configuring Role ARN. See IAM Roles and Permissions for Panorama in the VM-Series Deployment Guide for an example and more information.
      7. Optional Select a region from the Regions drop-down.
    4. Click Save Configuration.
    5. Verify the cloud service provider account connection status. A successful connection ensures that SCM can communicate with your cloud environment and begin the tag discovery process.

    Configure Tag Distribution

    1. Create a new Tag Distribution for your onboarded AWS account.
      1. On the IP-Tag Collection page, choose a successfully connected cloud account.
      2. Click + Distribute.
    2. Define the scope for tag collection. Specifying regions and VPCs ensures that only relevant IP-to-tag mappings are collected, optimizing performance and data relevance for your security policies.
      1. Enter a descriptive Name.
      2. Enter a Polling Interval in seconds.
      3. Select Regions and VPC.
    3. Select Tag Destination folders containing the firewalls intended to receive the IP-to-tag mappings. Specify the target for tag distribution.
    4. Save the Tag Distribution configuration. Saving the distribution settings makes them active within SCM, preparing them for deployment to your firewalls.
    5. Push the configuration to your firewall.
      1. Navigate to ConfigurationPush Config.
      2. Select the relevant Admin Scope and Folder.
      3. Select Push. This synchronizes the AWS integration and harvested IP-to-tag mappings from Strata Cloud Manager to your managed firewalls, enabling granular Layer 7 security policies based on real-time asset classifications.

    Azure

    Automate cloud IP-Tag collection and distribution in Strata™ Cloud Manager to enable dynamic security policies for your Azure workloads.
    This procedure guides you through connecting SCM to your cloud environment for IP-Tag collection and configuring Tag Distribution.
    1. Log in to SCM.
    2. Select Configuration IP-Tag Collection
    3. Onboard a cloud service provider account using manual credentials. This connects SCM to you public cloud environment, allowing SCM to discover and collect IP-Tag mappings.
      1. On the IP-Tag Collection page, select Add New Cloud Account.
      2. Select your cloud service provider.
      3. Select Connect via Enter Credentials Manually option.
      4. Enter a descriptive Name.
      5. Enter your Azure Client ID and Client Secret.
      6. Enter your Azure Tenant ID and Subscription ID.
      7. Optional Test Connection between SCM and your Azure environment.
    4. Click Save Configuration.
    5. Verify the cloud service provider account connection status. A successful connection ensures that SCM can communicate with your cloud environment and begin the tag discovery process.

    Configure Tag Distribution

    1. Create a new Tag Distribution for your onboarded Azure account.
      1. On the IP-Tag Collection page, choose a successfully connected cloud account.
      2. Click + Distribute.
    2. Define the scope for tag collection. Specifying regions and VPCs ensures that only relevant IP-to-tag mappings are collected, optimizing performance and data relevance for your security policies.
      1. Enter a descriptive Name.
      2. Enter a Polling Interval in seconds.
      3. Select Regions.
      4. Optional Select Fetch Service Tags. For more information about Azure service tag and Palo Alto Networks firewalls, see Attributes Monitored on Azure.
    3. Select Tag Destination folders containing the firewalls intended to receive the IP-to-tag mappings. Specify the target for tag distribution.
    4. Save the Tag Distribution configuration. Saving the distribution settings makes them active within SCM, preparing them for deployment to your firewalls.
    5. Push the configuration to your firewall.
      1. Navigate to ConfigurationPush Config.
      2. Select the relevant Admin Scope and Folder.
      3. Select Push. This synchronizes the Azure integration and harvested IP-to-tag mappings from Strata Cloud Manager to your managed firewalls, enabling granular Layer 7 security policies based on real-time asset classifications.

    GCP

    Automate cloud IP-Tag collection and distribution in Strata™ Cloud Manager to enable dynamic security policies for your GCP workloads.
    This procedure guides you through connecting SCM to your cloud environment for IP-Tag collection.
    1. Log in to SCM.
    2. Select Configuration IP-Tag Collection
    3. Onboard a cloud service provider account using manual credentials. This connects SCM to you public cloud environment, allowing SCM to discover and collect IP-Tag mappings.
      1. On the IP-Tag Collection page, select Add New Cloud Account.
      2. Select your cloud service provider.
      3. Select Connect via Enter Credentials Manually option.
      4. Enter a descriptive Name.
      5. Upload your GCP service account JSON file.
      6. Optional Test Connection between SCM and your Azure environment.
    4. Click Save Configuration.
    5. Verify the cloud service provider account connection status. A successful connection ensures that SCM can communicate with your cloud environment and begin the tag discovery process.

    Configure Tag Distribution

    1. Create a new Tag Distribution for your onboarded GCP account.
      1. On the IP-Tag Collection page, choose a successfully connected cloud account.
      2. Click + Distribute.
    2. Define the scope for tag collection. Specifying regions and VPCs ensures that only relevant IP-to-tag mappings are collected, optimizing performance and data relevance for your security policies.
      1. Enter a descriptive Name.
      2. Enter a Polling Interval in seconds.
      3. Select Regions.
    3. Select Tag Destination folders containing the firewalls intended to receive the IP-to-tag mappings. Specify the target for tag distribution.
    4. Save the Tag Distribution configuration. Saving the distribution settings makes them active within SCM, preparing them for deployment to your firewalls.
    5. Push the configuration to your firewall.
      1. Navigate to ConfigurationPush Config.
      2. Select the relevant Admin Scope and Folder.
      3. Select Push. This synchronizes the GCP integration and harvested IP-to-tag mappings from Strata Cloud Manager to your managed firewalls, enabling granular Layer 7 security policies based on real-time asset classifications.

    Zero Networks

    Automate cloud IP-Tag collection and distribution in Strata™ Cloud Manager to enable dynamic security policies using data from Zero Networks.
    The Zero Networks integration with Strata Cloud Manager (SCM) enables SCM to acquire IP-to-tag mappings from the Zero Networks platform. This enhances network asset visibility and facilitates dynamic policy enforcement on your managed firewalls. This integration provides a unified solution for visualizing, segmenting, and securing lateral movement across your enterprise by combining SCM's management capabilities with Zero Networks' agentless microsegmentation.
    SCM establishes a secure connection to the Zero Networks platform and periodically polls the Zero Networks platform to retrieve dynamically generated IP-to-tag mappings. These tags are based on attributes such as name, OS type, FQDN, and domain, from various Zero Networks groups including Active Directory (AD), Custom, System, Tags, OT/IoT, and ServiceNow.
    The SCM Cloud IP Tag Service processes and stores this harvested IP-to-tag information. SCM then pushes these real-time IP-to-tag mappings to your managed firewalls as Dynamic Address Groups. Your firewalls leverage these Dynamic Address Groups to apply granular Layer 7 security policies, such as Advanced Threat Prevention and Advanced URL Filtering, based on the specific classification of network assets. These dynamic updates ensure your security policies remain current as assets are discovered or change behavior.
    The Cloud IP-Tag Collector supports up to 15,000 members per profile for each Zero Networks account onboarded.
    This procedure guides you through connecting SCM to your Zero Networks deployment.
    1. Log in to SCM.
    2. Select Configuration IP-Tag Collection
    3. Onboard a Zero Networks account using manual credentials. This connects SCM to you public cloud environment, allowing SCM to discover and collect IP-Tag mappings.
      1. On the IP-Tag Collection page, select Add New Cloud Account.
      2. Select Zero Networks and click Next: Configure Connection.
      3. Enter a descriptive Name for the connection configuration.
      4. Add your Zero Networks Token obtained from your Zero Networks portal.
        If your Zero Networks token expires, SCM pulls no tags until the expired token is renewed.
      5. Optional Click Test Connection to verify that your token is valid.
    4. Click Save Configuration.
    5. Verify the cloud service provider account connection status. A successful connection ensures that SCM can communicate with your cloud environment and begin the tag discovery process.

    Configure Tag Distribution

    1. Create a new Tag Distribution for your onboarded AWS account.
      1. On the IP-Tag Collection page, choose a successfully connected cloud account.
      2. Click + Distribute.
    2. Define the scope for tag collection. Specifying regions and groups ensures that only relevant IP-to-tag mappings are collected, optimizing performance and data relevance for your security policies.
      1. Enter a descriptive Name.
      2. Enter a Polling Interval in seconds, between one and 30 minutes.
    3. Select Tag Destination folders containing the firewalls intended to receive the IP-to-tag mappings. Specify the target for tag distribution.
    4. Save the Tag Distribution configuration. Saving the distribution settings makes them active within SCM, preparing them for deployment to your firewalls.
    5. Push the configuration to your firewall.
      1. Navigate to ConfigurationPush Config.
      2. Select the relevant Admin Scope and Folder.
      3. Select Push. This synchronizes the Zero Networks integration and harvested IP-to-tag mappings from Strata Cloud Manager to your managed firewalls, enabling granular Layer 7 security policies based on real-time asset classifications.

    © 2026 Palo Alto Networks, Inc. All rights reserved.