How to Configure Color Coded Tags

PAN-OS 6.0, 6.1

Overview
Color Coded Tags was introduced in PAN-OS 6.0 and enables the categorization of many types of objects to
be visually distinguishable. Administrators can easily determine if their policy was created correctly by scanning
a policy and confirming that the color coding of their objects follows their desired scheme.

Details
On the Device/Panorama GUI, navigate to the Objects tab. As shown below, the objects tree panel on the left
side has a new tree node called "Tags" for color coded tags administration.

A tag objects has three fields:

Name
Color
Comments

The Name cannot contain a comma (,) since it is used as a separation character when assigning tags.
The Color value of the tag object can be selected from a color palette of 16 predefined colors. The default
value is "None," which is no color.

Generated on 2015-03-22-07:00
1
How to Configure Color Coded Tags

The selection of a color is not required when creating a tag.

The following objects in the Palo Alto Networks Device/Panorama can be used with the new tag attribute:
Objects > Address
Objects > Address Groups
Objects > Services
Objects > Service Groups
Network > Zones
Note: When using Tags and Zones the drop down must be used instead of a generic name because
the Tag is not selectable while editing the Zone.

Policies already have tags, but will be leveraged to use the new tag object. The above objects will all have a
new tag column in their top level grid. Only the first tag in an object may have color.

During the Add/Edit of any of the above objects the tags attribute can be specified, as shown below:

Generated on 2015-03-22-07:00
2
How to Configure Color Coded Tags

Tags can be selected from existing tags. Also, tag completion is case-insensitive. If the administrator adds a
new tag, it is added as a tag object after "ok." The user can select a tag as the "colored tag" for an object while
in the object/rule editor. The "colored tag" is saved as the first tag after "ok."

From policy tables, the user will see rule tags. Only the first tag in a rule may have color.

The following is an example of Security Rulebase with no color tags used:

Generated on 2015-03-22-07:00
3
How to Configure Color Coded Tags

The following is an example of a Security Rulebase with color tags used for Zones and inside of the objects:

Notice that the use of Color Tags makes the policy much easier to read.

Additional Details
Tag name length is limited to 127 characters.
There are 16 colors only, cannot create custom colors.
Multiple tags can use same color.
If an item has multiple tags with different colors, then first tag color will be displayed. So, order
matters.
Config will show in CLI as color# (1-16) (For example, set tag test1 color color4)
Panorama can push tag color configs. If conflicting with the existing tag on the firewall, then the
device config should take priority.
Likewise, if there is a conflict between shared and VSYS specific object then VSYS takes
precedence.

Logging
Configuration logs are generated for add/edit/delete of tag objects and setting of tags to other objects.

Feature Interaction with infrastructure components:

High-availability - Tag configuration will be synced, similar to the other object configurations
Virtual system - Tag administration and tag assignment can be done per VSYS
Panorama - Tag administration and tag assignment is available on Panorama

Panorama
The specified objects and zones in Network templates will have configuration for tags. The tag configuration
will be pushed to the device groups and devices along with the objects and device templates. If it is conflicting
with an existing tag on the firewall, then the device config should take priority. In the Network template on
Panorama zones can have tags specified, but no completion (drop down) is available. Users can only type tag
names.

Tags can belong to VSYS or shared in a device and a device group, or shared in Panorama.

owner: jdelio

Generated on 2015-03-22-07:00
4