/
PAN Firewall Configuration for Static Address Groups
Document toolboxDocument toolbox

PAN Firewall Configuration for Static Address Groups

Owned by Shirly Tsang
Jun 04, 2024
4 min read

A static address group can include address objects that are static, dynamic address groups, or it can be a combination of both address objects and dynamic address groups.

Create appropriate policies in the firewall to allow or deny hosts. A policy requires an existing address group object as part of the policy creation process. Let’s create two Static Address Groups for allowing and denying hosts access to the firewall.

  1. Login to the PAN Firewall.

 

  1. For a Static Address Group, you will need to create a dummy address to fill it with initially. Navigate to ObjectsAddresses. Click Add at the bottom of the screen. 

    1. Enter a name, such as the IP. Set the type to IP Netmask. Enter 10.0.0.0/24 for the IP address.

  1. Create the two Static Address Groups that will hold hosts you wish to either allow or deny firewall access. Let’s create the allowed group. Navigate to ObjectsAddress Groups. Click Add at the bottom of the screen.

    1. Give the Address Group a comprehensible name, such as Iblox_Host_Allow. Set the type to Static. Click Add and select the dummy address you just created. Click OK.

  1. Now create the deny group. Navigate to ObjectsAddress Groups. Click Add at the bottom of the screen.

    1. Give the Address Group a comprehensible name, such as Iblox_Host_Deny. Set the type to Static. Click Add and select the dummy address you just created. Click OK.

  1. Create one policy for each of the Static Address Groups we just created so that PAN knows how to handle inbound hosts. Let’s create a policy that will allow Infoblox hosts. Navigate to PoliciesSecurity. Click Add at the bottom of the screen. 

    1. Under the General tab, name the policy. 

  1. Under the Source tab, check the Any box above the SOURCE ZONE and SOURCE ADDRESS areas. Select any from the dropdown above the SOURCE USER and SOURCE DEVICE areas.

  1. Under the Destination tab, select any from the dropdown above the DESTINATION ZONE and DESTINATION DEVICE areas. Click the Add button under the DESTINATION ADDRESS area and select the Iblox_Host_Allow Address Group created earlier for allowed hosts. 

  1. Under the Actions tab, set the Action Setting Action to Allow. Click OK.

  1. Let’s create a policy that will deny Infoblox hosts. Navigate to PoliciesSecurity. Click Add at the bottom of the screen. 

    1. Under the General tab, name the policy. 

  1. Under the Source tab, check the Any box above the SOURCE ZONE and SOURCE ADDRESS areas. Select any from the dropdown above the SOURCE USER and SOURCE DEVICE areas.

  1. Under the Destination tab, select any from the dropdown above the DESTINATION ZONE and DESTINATION DEVICE areas. Click the Add button under the DESTINATION ADDRESS area and select the Iblox_Host_Deny Address Group created earlier for denied hosts. 

  1. Under the Actions tab, set the Action Setting Action to Deny. Click OK.

  1. Click Commit in the upper right corner of the screen. This will activate your newly created Address, Address Groups and Policies on the running configuration of the firewall.

Related content