Using regex in defining a group address object

Reply
L1 Bithead

Using regex in defining a group address object

I'm defining a new group address object which should include addresses of several different tags (e.g. "Tag_1", "Tag_2", etc.).

When trying to define the match field I cannot find a way to actually do that. I'm not sure it's even supported. Whatever pattern I use, no address object is assigned to the group.

I've tried patterns in the following style:

'Tag_.*', Tag_.*

and some more.

 

Does anyone know what's the correct syntax for that or whether it's supported?

 

Thanks

Tags (1)

Accepted Solutions
Highlighted
L7 Applicator

Re: Using regex in defining a group address object

You can use the CLI (and API) as well.  Here's the documentation for the CLI commands:

 - https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/cli-commands-for-dynamic-ip-address...

 

Like the GUI, the CLI commands also use equal/not-equal and expect a single tag or list of tags.  In order to leverage a regular expression for your use-case, the regex would have to run "off-box" - and then you'd have to ingest that data into PAN-OS via API, Python, CLI, etc.  

 

I could see where this might be useful.  You may want to reach out to your Palo Alto Networks SE and file a feature request.  

View solution in original post


All Replies
Highlighted
L7 Applicator

Re: Using regex in defining a group address object

single quotes and an operator (and, or)

 

eg: 'cloudflare' or 'google'

 

tags.png

reaper - PANgurus.com
I drink and I know things
Highlighted
L1 Bithead

Re: Using regex in defining a group address object

Thanks.

My question though was whether I can use a regex for that. I understand that what you wrote is actually the only option?

Highlighted
L7 Applicator

Re: Using regex in defining a group address object

You can use the CLI (and API) as well.  Here's the documentation for the CLI commands:

 - https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/cli-commands-for-dynamic-ip-address...

 

Like the GUI, the CLI commands also use equal/not-equal and expect a single tag or list of tags.  In order to leverage a regular expression for your use-case, the regex would have to run "off-box" - and then you'd have to ingest that data into PAN-OS via API, Python, CLI, etc.  

 

I could see where this might be useful.  You may want to reach out to your Palo Alto Networks SE and file a feature request.  

View solution in original post

Highlighted
L1 Bithead

Re: Using regex in defining a group address object

Thank you.

 

I'll definitely try to have this implemented in the firewall. It is a very useful feature in our scenarios, given that we add new tags from time to time and prefer not to update the group address objects every time.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!