Working with Dynamic Address Groups on the

Palo Alto Networks firewall

Overview
In PAN-OS 6.0, tags can be associated with dynamic address groups. Using these tags, IP addresses can be
added (and removed) to these groups in a dynamic way. The dynamic groups can be used in security policies.
For example, as source/destination address.

A tag is configured by navigating to Objects > Tags:

The dynamic address group is configured at Objects > Address Groups. Click "Add Match Criteria" and select
the tag created:

Generated on 2015-03-22-07:00
1
Working with Dynamic Address Groups on the Palo Alto Networks firewall

Steps
With the tags and dynamic addresses configured, IP addresses can be added and removed using the API.

Create the xml file that will be applied to the API call. The xml code below show examples for adding and
removing registered IP addresses.

Register IP Addresses

<uid-message>
<version>1.0</version>
<type>update</type>
<payload>
<register>
<entry ip="1.1.1.1">
<tag>

Generated on 2015-03-22-07:00
2
Working with Dynamic Address Groups on the Palo Alto Networks firewall

<member>test_tag1</member>
</tag>
</entry>
<entry ip="1.1.1.2">
<tag>
<member>test_tag1</member>
</tag>
</entry>
<entry ip="1.1.1.3">
<tag>
<member>test_tag1</member>
</tag>
</entry>
</register>
</payload>
</uid-message>

De-register IP Addresses

<uid-message>
<version>1.0</version>
<type>update</type>
<payload>
<unregister>
<entry ip="1.1.1.1">
<tag>
<member>test_tag1</member>
</tag>
</entry>
<entry ip="1.1.1.2">
<tag>
<member>test_tag1</member>
</tag>
</entry>
<entry ip="1.1.1.3">
<tag>
<member>test_tag1</member>
</tag>
</entry>
</unregister>
</payload>
</uid-message>

Generated on 2015-03-22-07:00
3
Working with Dynamic Address Groups on the Palo Alto Networks firewall

Send the register.xml file to the firewall. The following example was called from a Linux system and uses
register.xml as the xml filename. You can use either the WGET or the cURL method:

Using WGET method:

wget --no-check-certificate --post-file register.xml "https://<IP_PAN>/api/?type=user-id&action=set&key=<API-

KEY>=&file-name=register.xml&client=wget" --no-http-keep-alive

Using cURL method:

curl -kF file=@register.xml "https://<IP_PAN>/api/?type=user-id&action=set&key=<API_KEY>=&file-
name=register.xml&client=curl"

Note: The <API_KEY> needs to be generated before-hand. You can generate it using cURL:

curl -k "https://<IP_PAN>/api/?type=keygen&user=<your_user>&password=<your_password>"

View Registered IP Addresses

To view registered IP addresses on the WebUI, navigate to Objects > Address Groups:

Generated on 2015-03-22-07:00
4
Working with Dynamic Address Groups on the Palo Alto Networks firewall

To view the registered IP addresses on the CLI on PAN-OS 6.0, use the show object registered-address all
command:

admin@pan> show object registered-address all

registered IP Tags
---------------------------------------- -----------------

1.1.1.1 #
"test_tag1"

1.1.1.2 #
"test_tag1"

1.1.1.3 #
"test_tag1"

Total: 3 registered addresses

*: received from user-id agent #: persistent

Note: To view the registered IP addresses on the CLI on PAN-OS 6.1, use the show object registered-ip all
command.

If you have multiple Tags, and you want to see IP Addresses on that specific tag, use command show object
registered-address tag <your_tag>:

Example:

admin@pan> show object registered-address tag test_tag1

registered IP Tags
---------------------------------------- -----------------

1.1.1.3 #
"test_tag1"

1.1.1.2 #
"test_tag1"

1.1.1.1 #
"test_tag1"

Total: 3 registered addresses

Generated on 2015-03-22-07:00
5
Working with Dynamic Address Groups on the Palo Alto Networks firewall

*: received from user-id agent #: persistent

Note: To view the registered IP addresses on the CLI on PAN-OS 6.1, use the show object registered-ip tag
<your_tag> command.

Export List of Registered IP's

The following API can be used to view all registered IPs on the browser via API:
https://<IP>/api/?key=<APIKEY>&type=op&cmd=<show><object><registered-address><all></all></registered-
address></object></show>

Or using WGET or cURL methods:

On PAN-OS 6.0:

wget -O show.out --no-check-certificate "https://<PAN_IP>/api/?

type=op&key=<API_KEY>&cmd=<show><object><registered-address><all></all></registered-address></
object></show>"

curl -k "https://<PAN_IP>/api/?type=op&cmd=<show><object><registered-address><all></all></registered-
address></object></show>&key=<API_KEY>&client=curl"

On PAN-OS 6.1:

wget -O show.out --no-check-certificate "https://<PAN_IP>/api/?

type=op&key=<API_KEY>&cmd=<show><object><registered-ip><all></all></registered-ip></object></show>"

curl -k "https://<PAN_IP>/api/?type=op&cmd=<show><object><registered-ip><all></all></registered-ip></
object></show>&key=<API_KEY>&client=curl"

owner: rvanderveken

Generated on 2015-03-22-07:00
6