Statics vs. Dynamic Address Objects Groups

Statics vs. Dynamic Address Objects Groups

49899
Created On 09/25/18 17:39 PM - Last Modified 04/21/20 00:46 AM


Resolution


Details

In PAN-OS, we can create address objects which can be further grouped into address groups. The most common method is to use a 'static' type address group. However, the 'dynamic' type address group allows for slight ease of management along with scalability.

 

Review the example below of a list of address objects:

listofAlltheaddressobjects.JPGNotice the tag on some objects. This will be relevant later.

Now, if we were to create a static address object, we'd choose the ones we want to add. 

staticgroupobject.JPG

 

This is perfectly fine for use in policies, but imagine, having to manage hundreds (if not thousands) of address objects with constant additions/deletions etc.

 

Note: For every address object you add/remove, you would have to include/exclude that in each address group, where that address object would be used. This can become cumbersome quite easily and makes the configuration prone to (manual) errors.

 

This is where 'Dynamic' address groups can shine.

 

With the use of tags when defining the address objects, we can do a simple match criteria for creating an address group. This is much more flexible since any addition/deletion only requires the change on the address objects part. The groups can remain untouched!


Let's look at the following demonstration.

 

Using the same address objects list as before, we'll create a Dynamic address group.

dynamicgroupcreation.JPG

 

Commit the changes and then click on 'more' to the entries in the group:

dynamicaddressgroupentries.JPGOnly the objects with tags specified as 'Intranet' got included in this group

This is where the tags become useful. For this implementation of dynamic address group, make sure to create an address object (or groups too, if you wish to use group within another group) with one or more tags.

newaddObj.JPGYou can type in a new tag or choose an already created one using the drop-down option.

You can create tags on the fly, (see above image) or via Objects->Tags

TAGcreation.JPG

 

Moreover, we can have nested address groups with little to no additional overhead, other than adding/removing/editing the objects themselves.

 

Hopefully, this document helped you in making a smarter and more efficient configuration design.

 

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHgCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language