When you deploy workloads in cloud environments, those workloads frequently scale up and down with changing demand. If you write firewall security policies using static IP addresses, you must manually update those policies every time your teams deploy new services or scale existing ones. This creates a gap between how quickly your infrastructure changes and how quickly your security policies can adapt, leading to either security risks from overly permissive rules or operational problems from blocked legitimate traffic.

Automated Tag-based Security solves this problem by automatically collecting tags from your cloud workloads and making them available to your firewalls through Dynamic Address Groups. Instead of writing policies based on IP addresses, you write policies based on workload identity using the same tags your teams already apply in AWS, Azure, GCP, or Kubernetes. When workloads scale up or down, your security policies continue to apply correctly without manual intervention.

You connect your cloud provider accounts, create monitoring definitions that specify which tags to collect, then configure which firewalls should receive those tags. After you commit your changes, the system automatically begins distributing tags to your firewalls. As new firewalls join folders with distribution settings configured, they automatically begin receiving the appropriate tags without manual configuration. Similarly, when firewalls leave those folders, the system automatically removes the associated tags, ensuring your security policies remain aligned with your current infrastructure.