Statics vs. Dynamic Address Objects Groups

by ansharma on ‎04-06-2017 02:59 PM - edited on ‎04-07-2017 06:15 AM by (7,710 Views)


In PAN-OS, we can create address objects which can be further grouped into address groups. The most common method is to use a 'static' type address group. However, the 'dynamic' type address group allows for slight ease of management along with scalability.


Review the example below of a list of address objects:

listofAlltheaddressobjects.JPGNotice the tag on some objects. This will be relevant later.

Now, if we were to create a static address object, we'd choose the ones we want to add. 



This is perfectly fine for use in policies, but imagine, having to manage hundreds (if not thousands) of address objects with constant additions/deletions etc.


Note: For every address object you add/remove, you would have to include/exclude that in each address group, where that address object would be used. This can become cumbersome quite easily and makes the configuration prone to (manual) errors.


This is where 'Dynamic' address groups can shine.


With the use of tags when defining the address objects, we can do a simple match criteria for creating an address group. This is much more flexible since any addition/deletion only requires the change on the address objects part. The groups can remain untouched!

Let's look at the following demonstration.


Using the same address objects list as before, we'll create a Dynamic address group.



Commit the changes and then click on 'more' to the entries in the group:

dynamicaddressgroupentries.JPGOnly the objects with tags specified as 'Intranet' got included in this group

This is where the tags become useful. For this implementation of dynamic address group, make sure to create an address object (or groups too, if you wish to use group within another group) with one or more tags.

newaddObj.JPGYou can type in a new tag or choose an already created one using the drop-down option.

You can create tags on the fly, (see above image) or via Objects->Tags



Moreover, we can have nested address groups with little to no additional overhead, other than adding/removing/editing the objects themselves.


Hopefully, this document helped you in making a smarter and more efficient configuration design.



Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community