Knowledge sharing: IP and user TAG Mappings redistribution for DAG / DUG

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Knowledge sharing: IP and user TAG Mappings redistribution for DAG / DUG

L6 Presenter

Hello to All,



I see a lot of questions about redistributing IP and user TAG Mappings from Panorama or a firewall to other firewalls. In version 10 this is possible but in older versions only the user id can be be redistributed and maybe a REST/XML API script is needed to take the mappings(tag and IP or user) from Panorama/Palo Alto and upload them to the other firewalls.



Palo Alto version 10 option:




Older versions:




I also found out that in 9.1 this is supported but it is not so well described:







Palo Alto provides articles how to use TAG for auto tagging IP address or user based on traffic or threat logs (Tutorial: Auto-tagging & DNS Sinkhole - YouTube) or to use AWS Tags or Azure Tags with their Panorama plugins  but another useful user case is when there is a SIEM solution like Splunk or ELK that has made a list of bad source IP addresses for those IP addresses to be blocked for some time as the attackers in many cases use infected user/customer devices so blocking the IP addresses without a timeout is not a good solution or making an automation to remove them after random time is difficult as every day new ip addresses could be uploaded to the blocking list that need to be blocked for example for a week and those IP addresses merge with the previous ones from the previous fay, so keeping tack is hard.



The solution could be done with Ansible and the Palo Alto Tags (Palo Alto Cortex XSOAR probably can also do it but I still have not worked with or a python script but I prefer Ansible) . The Palo Alto Tags have a timeout option when a dynamic Ip address is registered. The "panos_address" in Ansible can be used to create address objects and marked with a TAG that is then automatically added to the dynamic address group that is related to the TAG but as I mentioned this a static way of doing things so better use the "panos_registered_ip" Ansible module that allows you register dynamic ip addresses to a TAG and a related dynamic address group but compared the "panos_address" module in Ansible this can't be done on Panorama and send to the other firewalls, so this where redistribution is used as after Ansible registers the IP addresses to a TAG this firewall can redistribute the info to other firewalls or to the Panorama and then to the other firewalls.


Palo Alto Tag Timeout:


Real-Time Enforcement and Expanded Capacities for Dynamic Address Groups (




Configure Data Redistribution (




panos_address - Create address service object on PanOS devices — Ansible Documentation


Nice example for Ansible "panos_address" that can be used for "panos_registered_ip":


Automating & Scripting The Network with Ansible – Palo Alto: Create tag objects, and attach to netwo...


panos_registered_ip – Register IP addresses for use with dynamic address groups on PAN-OS devices — ...




The only think I couldn't find is an Ansbile module that can dynamically register username to tag to the firewall that is used for redistribution so Cortex XSOAR can be reviewed for those needs if it can do it.



Community Team Member

Hi @nikoolayy1 ,


Thanks for sharing your experience on the forum !


Cheers !


LIVEcommunity team member, CISSP
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L1 Bithead

Thanks for sharing!


I've also tested with v9.1.6 and pushed user>ip and user>tag mappings to panorama using XML API and confirmed they distribute to other firewalls.

Mapping goes Security policy > User DUG > User TAG > User-IP

Plan is to use policies with DUG (dynamic user groups) each with a tag via Panorama.

Each firewall will receive updates immediately in their polices using the seen IP address to resolve back to user and which group they are tagged in.

L3 Networker

Also a good note is that better use the Palo Alto external Windows-Based User-ID Agent than the internal one, because this will be less CPU intensive for the firewalls. Another good design is with all the remote work when the users connect to VPN gateway the VPN gateway to check the user and group membership with LDAP and then to redistribute the information to the other firewalls or to the Panorama or the Log collecters that will redistribute this to the other firewalls.




Don't forget that for Panorama to also know the user groups a master firewall device is needed:

L6 Presenter

I added an update to the article with a use case for ansible.

L5 Sessionator

Thanks for this post. Are you aware of any innate troubleshooting capabilities within Palo? 


If I write an XML API DUG mapping, but the push isn't successful, where does that data go? 


I am trying to bring PAN-AF back to life with Python3, and am running into many roadblocks trying to update the API calls. 

Help the community! Add tags and mark solutions please.

If you talk about debugging api calls then see:


For connecting:


API Authentication and Security (


Access the PAN-OS REST API (



To see how the API should look:


Explore the API (


PAN-OS XML API Error Codes (



With Palo Alto and python I am not so great (used netmiko and paramiko for some cisco router/switch config long time ago) this is why I like ansible

  • 6 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!