Documente Academic
Documente Profesional
Documente Cultură
Overview
In PAN-OS 6.0, tags can be associated with dynamic address groups. Using these tags, IP addresses can be
added (and removed) to these groups in a dynamic way. The dynamic groups can be used in security policies.
For example, as source/destination address.
The dynamic address group is configured at Objects > Address Groups. Click "Add Match Criteria" and select
the tag created:
Generated on 2015-03-22-07:00
1
Working with Dynamic Address Groups on the Palo Alto Networks firewall
Steps
With the tags and dynamic addresses configured, IP addresses can be added and removed using the API.
Create the xml file that will be applied to the API call. The xml code below show examples for adding and
removing registered IP addresses.
Register IP Addresses
<uid-message>
<version>1.0</version>
<type>update</type>
<payload>
<register>
<entry ip="1.1.1.1">
<tag>
Generated on 2015-03-22-07:00
2
Working with Dynamic Address Groups on the Palo Alto Networks firewall
<member>test_tag1</member>
</tag>
</entry>
<entry ip="1.1.1.2">
<tag>
<member>test_tag1</member>
</tag>
</entry>
<entry ip="1.1.1.3">
<tag>
<member>test_tag1</member>
</tag>
</entry>
</register>
</payload>
</uid-message>
De-register IP Addresses
<uid-message>
<version>1.0</version>
<type>update</type>
<payload>
<unregister>
<entry ip="1.1.1.1">
<tag>
<member>test_tag1</member>
</tag>
</entry>
<entry ip="1.1.1.2">
<tag>
<member>test_tag1</member>
</tag>
</entry>
<entry ip="1.1.1.3">
<tag>
<member>test_tag1</member>
</tag>
</entry>
</unregister>
</payload>
</uid-message>
Generated on 2015-03-22-07:00
3
Working with Dynamic Address Groups on the Palo Alto Networks firewall
Send the register.xml file to the firewall. The following example was called from a Linux system and uses
register.xml as the xml filename. You can use either the WGET or the cURL method:
Note: The <API_KEY> needs to be generated before-hand. You can generate it using cURL:
curl -k "https://<IP_PAN>/api/?type=keygen&user=<your_user>&password=<your_password>"
To view registered IP addresses on the WebUI, navigate to Objects > Address Groups:
Generated on 2015-03-22-07:00
4
Working with Dynamic Address Groups on the Palo Alto Networks firewall
To view the registered IP addresses on the CLI on PAN-OS 6.0, use the show object registered-address all
command:
registered IP Tags
---------------------------------------- -----------------
1.1.1.1 #
"test_tag1"
1.1.1.2 #
"test_tag1"
1.1.1.3 #
"test_tag1"
Note: To view the registered IP addresses on the CLI on PAN-OS 6.1, use the show object registered-ip all
command.
If you have multiple Tags, and you want to see IP Addresses on that specific tag, use command show object
registered-address tag <your_tag>:
Example:
registered IP Tags
---------------------------------------- -----------------
1.1.1.3 #
"test_tag1"
1.1.1.2 #
"test_tag1"
1.1.1.1 #
"test_tag1"
Generated on 2015-03-22-07:00
5
Working with Dynamic Address Groups on the Palo Alto Networks firewall
Note: To view the registered IP addresses on the CLI on PAN-OS 6.1, use the show object registered-ip tag
<your_tag> command.
The following API can be used to view all registered IPs on the browser via API:
https://<IP>/api/?key=<APIKEY>&type=op&cmd=<show><object><registered-address><all></all></registered-
address></object></show>
On PAN-OS 6.0:
curl -k "https://<PAN_IP>/api/?type=op&cmd=<show><object><registered-address><all></all></registered-
address></object></show>&key=<API_KEY>&client=curl"
On PAN-OS 6.1:
curl -k "https://<PAN_IP>/api/?type=op&cmd=<show><object><registered-ip><all></all></registered-ip></
object></show>&key=<API_KEY>&client=curl"
owner: rvanderveken
Generated on 2015-03-22-07:00
6