Using regex in defining a group address object

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Using regex in defining a group address object

L1 Bithead

I'm defining a new group address object which should include addresses of several different tags (e.g. "Tag_1", "Tag_2", etc.).

When trying to define the match field I cannot find a way to actually do that. I'm not sure it's even supported. Whatever pattern I use, no address object is assigned to the group.

I've tried patterns in the following style:

'Tag_.*', Tag_.*

and some more.

 

Does anyone know what's the correct syntax for that or whether it's supported?

 

Thanks

1 accepted solution

Accepted Solutions

You can use the CLI (and API) as well.  Here's the documentation for the CLI commands:

 - https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/cli-commands-for-dynamic-ip-address...

 

Like the GUI, the CLI commands also use equal/not-equal and expect a single tag or list of tags.  In order to leverage a regular expression for your use-case, the regex would have to run "off-box" - and then you'd have to ingest that data into PAN-OS via API, Python, CLI, etc.  

 

I could see where this might be useful.  You may want to reach out to your Palo Alto Networks SE and file a feature request.  

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

single quotes and an operator (and, or)

 

eg: 'cloudflare' or 'google'

 

tags.png

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thanks.

My question though was whether I can use a regex for that. I understand that what you wrote is actually the only option?

You can use the CLI (and API) as well.  Here's the documentation for the CLI commands:

 - https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/cli-commands-for-dynamic-ip-address...

 

Like the GUI, the CLI commands also use equal/not-equal and expect a single tag or list of tags.  In order to leverage a regular expression for your use-case, the regex would have to run "off-box" - and then you'd have to ingest that data into PAN-OS via API, Python, CLI, etc.  

 

I could see where this might be useful.  You may want to reach out to your Palo Alto Networks SE and file a feature request.  

Thank you.

 

I'll definitely try to have this implemented in the firewall. It is a very useful feature in our scenarios, given that we add new tags from time to time and prefer not to update the group address objects every time.

  • 1 accepted solution
  • 6630 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!