This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Dynamic Address Group (DAG) PAN-OS / DAGPusher prototype

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Dynamic Address Group (DAG) PAN-OS / DAGPusher prototype

danilo.souza
L4 Transporter

‎09-11-2018 10:41 AM

 

Hi guys,

 

I'm trying to use the the DAGPusher prototype but, unhappily, I'm dealing with some problems. May be some of you could help me with it.

 

My scenario:

 

I use a generic miner to extract IPv4 (/32) from a specific location (that is working). Then it is sent to the DAGPusher node (that is working). Now I want to push them to Firewall/Panorama (it is not working).

 

My configuration:

 

In my local DAGPusher prototype, I use the configuration showed in figure 1 (green arrow). You can see that I only set the "tag_prefix":"agencias" parameter.

 

The status tab (figure 3) in the node cloned from this prototype, I have the indicators been received. Fine! And the Handled_Device tab show the Firewall destination (figure 2). Although I have multiplus devices and manage all of them through Panorama I choose to test DAGPusher with only one of them, at first.

 

Monitoring the traffic log I can see that my MM VM is trying to communicate with the device, and this traffic is allowed.

 

In Panorama I created a shared DAG with only one match: 'agencias' (figure 3).

 

Status/Questions:

 

At this point my DAG is not populated. Through the CLI, using the command "show object registered-ip all" I got nothing.
Could you guys identify something wrong? The syntax and the tags I used are corrects?
The fact that I created a shared DAG in Panorama could be the problem? Can I populate a shared DAG only in one Firewall?

 

 

Thank you in advanced.
Best regards.

Preview file
41 KB
Preview file
38 KB
Preview file
13 KB
0 Likes Likes
16 REPLIES 16

danilo.souza
L4 Transporter
In response to xhoms

‎09-27-2018 06:52 AM

Hi @xhoms

 

I executed the procedure, but you explicited lines with a successful registration and unregistration IP. Wich logs should I observe to get the details of a failed attempt to register an IP?

 

Best regards.

0 Likes Likes

jmora
L1 Bithead
In response to danilo.souza

‎12-04-2020 01:42 AM - edited ‎12-04-2020 01:46 AM

The solution is to create "tags" that associate to the vsys under the address group. This is created in each vsys.

 

jmora_0-1607074750176.png

 

jmora_1-1607074806192.png

 

 

0 Likes Likes
  • 23804 Views
  • 16 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks