Knowledge sharing: IP and user TAG Mappings redistribution for DAG / DUG

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Knowledge sharing: IP and user TAG Mappings redistribution for DAG / DUG

Cyber Elite
Cyber Elite

Hello to All,



I see a lot of questions about redistributing IP and user TAG Mappings from Panorama or a firewall to other firewalls. In version 10 this is possible but in older versions only the user id can be be redistributed and maybe a REST/XML API script is needed to take the mappings(tag and IP or user) from Panorama/Palo Alto and upload them to the other firewalls.



Palo Alto version 10 option:




Older versions:




I also found out that in 9.1 this is supported but it is not so well described:







Palo Alto provides articles how to use TAG for auto tagging IP address or user based on traffic or threat logs (Tutorial: Auto-tagging & DNS Sinkhole - YouTube) or to use AWS Tags or Azure Tags with their Panorama plugins  but another useful user case is when there is a SIEM solution like Splunk or ELK that has made a list of bad source IP addresses for those IP addresses to be blocked for some time as the attackers in many cases use infected user/customer devices so blocking the IP addresses without a timeout is not a good solution or making an automation to remove them after random time is difficult as every day new ip addresses could be uploaded to the blocking list that need to be blocked for example for a week and those IP addresses merge with the previous ones from the previous fay, so keeping tack is hard.



The solution could be done with Ansible and the Palo Alto Tags (Palo Alto Cortex XSOAR probably can also do it but I still have not worked with or a python script but I prefer Ansible) . The Palo Alto Tags have a timeout option when a dynamic Ip address is registered. The "panos_address" in Ansible can be used to create address objects and marked with a TAG that is then automatically added to the dynamic address group that is related to the TAG but as I mentioned this a static way of doing things so better use the "panos_registered_ip" Ansible module that allows you register dynamic ip addresses to a TAG and a related dynamic address group but compared the "panos_address" module in Ansible this can't be done on Panorama and send to the other firewalls, so this where redistribution is used as after Ansible registers the IP addresses to a TAG this firewall can redistribute the info to other firewalls or to the Panorama and then to the other firewalls.


Palo Alto Tag Timeout:


Real-Time Enforcement and Expanded Capacities for Dynamic Address Groups (




Configure Data Redistribution (




panos_address - Create address service object on PanOS devices — Ansible Documentation


Nice example for Ansible "panos_address" that can be used for "panos_registered_ip":


Automating & Scripting The Network with Ansible – Palo Alto: Create tag objects, and attach to netwo...


panos_registered_ip – Register IP addresses for use with dynamic address groups on PAN-OS devices — ...




The only think I couldn't find is an Ansbile module that can dynamically register username to tag to the firewall that is used for redistribution so Cortex XSOAR can be reviewed for those needs if it can do it.



Community Team Member

Hi @nikoolayy1 ,


Thanks for sharing your experience on the forum !


Cheers !


LIVEcommunity team member, CISSP
Don't forget to hit that Like button if a post is helpful to you!

L1 Bithead

Thanks for sharing!


I've also tested with v9.1.6 and pushed user>ip and user>tag mappings to panorama using XML API and confirmed they distribute to other firewalls.

Mapping goes Security policy > User DUG > User TAG > User-IP

Plan is to use policies with DUG (dynamic user groups) each with a tag via Panorama.

Each firewall will receive updates immediately in their polices using the seen IP address to resolve back to user and which group they are tagged in.

L3 Networker

Also a good note is that better use the Palo Alto external Windows-Based User-ID Agent than the internal one, because this will be less CPU intensive for the firewalls. Another good design is with all the remote work when the users connect to VPN gateway the VPN gateway to check the user and group membership with LDAP and then to redistribute the information to the other firewalls or to the Panorama or the Log collecters that will redistribute this to the other firewalls.




Don't forget that for Panorama to also know the user groups a master firewall device is needed:

Cyber Elite
Cyber Elite

I added an update to the article with a use case for ansible.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!