Implementing security policy is typically a static process – which means that any change in the security policy requires a configuration change on the firewall to update the security rules. PAN-OS has the capability to create dynamic security rules by using either static or dynamic tags and Dynamic Address Groups. The main benefits of Dynamic Address Groups is they:
Allow quick adaptation to changes in an evolving environment
Minimize the configuration changes that require intervention of the firewall administrator
Automate deployment and provisioning of new endpoints.
Policies with Dynamic Address Groups can also be used for threat prevention and containment purposes. This document presents various cases where the use of dynamic security policies leveraging Dynamic Address Groups is relevant.