Networking Security: Statics vs. Dynamic Address Objects Groups in Palo Alto

Details

In PAN-OS, we can create address objects which can be further grouped into address groups. The most common method is to use a 'static' type address group. However, the 'dynamic' type address group allows for slight ease of management along with scalability.

Review the example below of a list of address objects:

Notice the tag on some objects. This will be relevant later.

Now, if we were to create a static address object, we'd choose the ones we want to add.

This is perfectly fine for use in policies, but imagine, having to manage hundreds (if not thousands) of address objects with constant additions/deletions etc.

Note: For every address object you add/remove, you would have to include/exclude that in each address group, where that address object would be used. This can become cumbersome quite easily and makes the configuration prone to (manual) errors.

This is where 'Dynamic' address groups can shine.

With the use of tags when defining the address objects, we can do a simple match criteria for creating an address group. This is much more flexible since any addition/deletion only requires the change on the address objects part. The groups can remain untouched!

Let's look at the following demonstration.

Using the same address objects list as before, we'll create a Dynamic address group.

Commit the changes and then click on 'more' to the entries in the group:

Only the objects with tags specified as 'Intranet' got included in this group

This is where the tags become useful. For this implementation of dynamic address group, make sure to create an address object (or groups too, if you wish to use group within another group) with one or more tags.