PAN Firewall Config for Dynamic Address Groups

A dynamic address group populates its members dynamically using tag-based filters. Dynamic address groups are very useful if you have an extensive virtual infrastructure where changes in virtual machine location/IP address are frequent. For example, you have a sophisticated failover setup or provision new virtual machines frequently and would like to apply policy to traffic from or to the new machine without modifying the configuration/rules on the firewall.

Create appropriate policies in the firewall to allow or deny IP addresses. A policy requires an existing address group object as part of the policy creation process. Let’s create two Dynamic Address Groups for allowing and denying hosts access to the firewall.

1. Login to the PAN Firewall.

2. Create the two Dynamic Address Groups that will hold hosts you wish to either allow or deny firewall access. Let’s create the allow group. Navigate to Objects → Address Groups. Click Add at the bottom of the screen.

• Give the Address Group a comprehensible name, such as DynamicAllow. Set the type to Dynamic. To add match criteria, you can either click on Add Match Criteria and select existing static Tags to match the group with (you can create these under Objects → Tags), or you can type them in manually by putting single quotes around each criterion and separating them with terms and or or. Enter ‘allow’ for the match criteria. Click OK.

Open

3. Now create the deny group. Navigate to Objects → Address Groups. Click Add at the bottom of the screen.

• Give the Address Group a comprehensible name, such as DynamicDeny. Set the type to Dynamic. To add match criteria, you can either click on Add Match Criteria and select existing static Tags to match the group with (you can create these under Objects → Tags), or you can type them in manually by putting single quotes around each criterion and separating them with terms and or or. Enter ‘deny’ for the match criteria. Click OK.

Open

4. Create one policy for each of the Dynamic Address Groups we just created so that PAN knows how to handle inbound hosts. Let’s create the policy that will allow Infoblox hosts. Navigate to Policies → Security. Click Add at the bottom of the screen. 

• Under the General tab, name the policy. 

Open

• Under the Source tab, check the Any box above the SOURCE ZONE and SOURCE ADDRESS areas. Select any from the dropdown above the SOURCE USER and SOURCE DEVICE areas.

Open

• Under the Destination tab, select any from the dropdown above the DESTINATION ZONE and DESTINATION DEVICE areas. Click the Add button under the DESTINATION ADDRESS area and select the Dynamic Allow Address Group created earlier for allowed hosts. 

Open

• Under the Actions tab, set the Action Setting Action to Allow. Click OK.

Open

5. Let’s create the policy that will deny Infoblox hosts. Navigate to Policies → Security. Click Add at the bottom of the screen. 

• Under the General tab, name the policy. 

Open

• Under the Source tab, check the Any box above the SOURCE ZONE and SOURCE ADDRESS areas. Select any from the dropdown above the SOURCE USER and SOURCE DEVICE areas.

Open

• Under the Destination tab, select any from the dropdown above the DESTINATION ZONE and DESTINATION DEVICE areas. Click the Add button under the DESTINATION ADDRESS area and select the DynamicDeny Address Group created earlier for denied hosts. 

Open

• Under the Actions tab, set the Action Setting Action to Deny. Click OK.

Open

6. Click Commit in the upper right corner of the screen. This will activate your newly created Address, Address Groups and Policies on the running configuration of the firewall.