Dynamic Address Objects

Tech Note
PAN-OS 5.0

Revision B 2012, Palo Alto Networks, Inc. www.paloaltonetworks.com

Contents
Overview ................................................................................................................................................................................. 3
Use Case .................................................................................................................................................................................. 3
Configuration Details .............................................................................................................................................................. 3
Configuring a new Dynamic Address Object ........................................................................................................................ 3
Using a New Dynamic Address Object ................................................................................................................................. 4
XML API ................................................................................................................................................................................. 4
CLI Commands........................................................................................................................................................................ 6
Dynamic Address Objects Considerations ............................................................................................................................... 6
Dynamic Address Objects Demonstration ............................................................................................................................... 7
Demonstration Topology ..................................................................................................................................................... 7
Initial State ........................................................................................................................................................................... 8
First NFS Attempt ................................................................................................................................................................ 8
Update the Dynamic Address Object .................................................................................................................................... 9
Successful NFS Access .......................................................................................................................................................... 9
Dynamic Address Objects via Panorama ................................................................................................................................. 9
Test Topology .................................................................................................................................................................... 10
Configuration Details ......................................................................................................................................................... 10
Recommendations .............................................................................................................................................................. 11
Troubleshooting .................................................................................................................................................................... 11
Revision History .................................................................................................................................................................... 12

2012, Palo Alto Networks, Inc. [2]

Overview
In dynamic environments such as data centers, servers are brought up and down frequently as applications scale up and
down or move to different compute resources. In a virtual data center with virtual servers, these events occur even more
frequently. When PAN-OS is used to protect these servers, PAN-OS must be able to react quickly to server moves, adds, and
changes.

It is not practical to require a security policy update followed by a configuration commit every time there is a server change.
To solve this problem, PAN-OS 5.0 include a new feature called Dynamic Address Objects. Dynamic Address Objects are a
new address object type that can be updated using the XML API. They can be referenced in security policies and when
changes are made, a configuration commit is not required.

Use Case
One example where Dynamic Address Objects are particularly useful is in a virtual data center. Sometimes zone based
security policies are not granular enough in a virtual data center and IP based policy is required. If a server moves within a
data center (or to a neighboring data center) and is located behind a new firewall, the new firewall will need an update to its
security policy. Using Dynamic Address Objects in this scenario will allow the firewall at the new location to continue to
provide security for the server without having to commit a configuration change.

Configuration Details
Configuring a new Dynamic Address Object
The new address object type Dynamic Address Object is listed with the other object types IP Netmask, IP Range, and
FQDN. To create a dynamic address object, go to the Objects tab and select Addresses on the left:

Select Add and give the dynamic address object a name. Under Type, choose Dynamic.

Give the new object an identifier. This identifier will be used in the XML call and must be unique.

2012, Palo Alto Networks, Inc. [3]

Using a New Dynamic Address Object
You can reference a dynamic address object in the same manner as other address objects. For example, a security policy can
reference the dynamic address object as a source and/or destination address. In the following example the source address of
a security policy entry is a dynamic object:

It is important to note, IP addresses cannot be added to a dynamic address object in the WebUI or the CLI. IP address
cannot be removed from a dynamic address object using the WebUI. All IP addresses (in one or all Dynamic Address
Objects) can be removed using the CLI but this cannot be done selectively.

The entries in a dynamic address object do not show up in the configuration but they can be viewed using the CLI (see
below.) Also, the entries of a dynamic address object will survive a reboot.

XML API
To add a new entry to a dynamic address object, use the following XML API syntax:

2012, Palo Alto Networks, Inc. [4]

https://<IP>/api/?type=user-id&action=set&key=<KEY>=&file-name=<XMLFILE>

Where IP is the IP address of the firewall under management, KEY is the pre-generated key for the PAN-OS firewall and
XMLFILE is the name of the XML file with the needed additions and/or deletions for the dynamic address object.

For example, to use wget:

wget --no-check-certificate --post-file dynobj.xml "https://<MGMTIP>/api/?type=user-

id&action=set&key=<KEY>=&file-name=<dynobj.xml>&client=wget" --no-http-keep-alive -O <output file>

The XML file must have the following format for adding new IP addresses to an existing object:

<uid-message>
<version>1.0</version>
<type>update</type>
<payload>
<register>
<entry identifier=OBJECT ID" ip="IP"/>
</register>
</payload>
</uid-message>

Multiple additions can be made to the same object or to multiple objects in one API call by adding them to the same XML
file:

<uid-message>
<version>1.0</version>
<type>update</type>
<payload>
<register>
<entry identifier=OBJECT ID 1" ip="IP1"/>
<entry identifier=OBJECT ID 1" ip="IP2"/>
<entry identifier=OBJECT ID 2" ip="IP3"/>
</register>
</payload>
</uid-message>

Removing an IP address from an object is similar:

<uid-message>
<version>1.0</version>
<type>update</type>
<payload>
<unregister>
<entry identifier=OBJECT ID 1" ip="IP1"/>
<entry identifier=OBJECT ID 1" ip="IP2"/>
<entry identifier=OBJECT ID 2" ip="IP3"/>
</unregister>
</payload>
</uid-message>

IP addresses can be added and removed in the same call:

2012, Palo Alto Networks, Inc. [5]

<uid-message>
<version>1.0</version>
<type>update</type>
<payload>
<register>
<entry identifier=OBJECT ID 3" ip="IP4"/>
<entry identifier=OBJECT ID 3" ip="IP5"/>
</register>
<unregister>
<entry identifier=OBJECT ID 4" ip="IP6"/>
</unregister>
</payload>
</uid-message>

CLI Commands
To view the current contents of a dynamic object, use the following command:

warby@DEMO1> show object dynamic-address-object all

Dynamic address objects in vsys vsys1:

----------------------------------------------------
Dynamic NFS Clients
identifier: dyn-obj
15.0.0.63

Vsys-based instance of shared dynamic address objects in vsys vsys1

To remove all entries of all Dynamic Address Objects or for one dynamic address object:

warby@DEMO1> clear object dynamic-address-object

> all Clear all dynamic address objects
> id Clear a dynamic address object by id

The id above is the identifier that was created when the Dynamic Address Object was configured. When an object is
refreshed (new IPs are registered or old IPs are unregistered) you will see a new task called AddrObjRefresh:

warby@DEMO1> show jobs id 10

Enqueued ID Type Status Result Completed

--------------------------------------------------------------------------
2012/11/05 11:34:37 10 AddrObjRefresh FIN OK 11:34:44
Warnings:
Details:

You can monitor the AddrObjRefresh task to see the completion status of a dynamic address object update.

Dynamic Address Objects Considerations

As mentioned previously, the entries of a dynamic address object will survive a reboot. Each dynamic address object can
have 256 unique IP addresses associated with it. Dynamic address object updates are queued into 60-second intervals to
prevent excessive updates to the firewall. If multiple changes are requested via the API in a 60 second cycle, they will all
take place at the same time at the end of the cycle. This also means that changes to a dynamic address object will take up to
60 seconds to take affect.

2012, Palo Alto Networks, Inc. [6]

Each dynamic address object counts as one object towards the platforms maximum objects threshold regardless of how
many IP addresses are registered to that object. The maximum objects per platform and the maximum registered IP address
per platform (for 5.0.0) are detailed below:

Platform Maximum Objects Maximum Registered

IP addresses
PA-5060 80,000 25,000
PA-5050 40,000 25,000
PA-5020 10,000 25,000
PA-4060 and PA-4050 40,000 5,000
PA-4020 10,000 5,000
PA-3050 10,000 5,000
PA-3020 5,000 5,000
PA-2050 10,000 1,000
PA-2020 5,000 1,000
PA-500 2,500 1,000
PA-200 2,500 1,000
VM-300 5,000 1,000
VM-200 2,500 1,000
VM-100 2,500 1,000

Dynamic Address Objects Demonstration

The following screenshots are taken from a dynamic address objects demonstration. In this demo, a policy is in place that
uses a dynamic address object but the object is initially empty. An NFS client attempts to connect to an NFS server but fails
because the client IP address is not yet in the dynamic address object. The object is updated and the NFS connection is
repeated.

Demonstration Topology

2012, Palo Alto Networks, Inc. [7]

Initial State
Initially, the firewall has an empty dynamic address object and a security profile based on this object:

warby@DEMO1> show object dynamic-address-object all

Dynamic address objects in vsys vsys1:

----------------------------------------------------
Dynamic NFS Clients
identifier: dyn-obj

Vsys-based instance of shared dynamic address objects in vsys vsys1

First NFS Attempt

Next, the NFS client (Server C) attempts to connect to the NFS server (Server A) prior to the addition of the client IP in the
dynamic address object:

warby@ServerC:~$ sudo mount -t nfs4 -o proto=tcp,port=2049 15.0.0.61:/ /mnt

mount.nfs4: Connection timed out

The attempt fails. There is a policy to allow it but it requires the source address to match the NFS Clients address group
and the IP for server C (15.0.0.63) has not been registered yet.

2012, Palo Alto Networks, Inc. [8]

Update the Dynamic Address Object
Next, the dynamic address object is updated to include the NFS client IP address:

wget --no-check-certificate --post-file dynobj.xml "https://10.5.124.51/api/?type=user-

id&action=set&key= TeQDaFr2VW0JeKUWKRWUcpsC3W0l8vHEpzXQYuo8g=&file-name=<dynobj.xml>&client=wget" -
-no-http-keep-alive -O output

warby@DEMO1> show object dynamic-address-object all

Dynamic address objects in vsys vsys1:

----------------------------------------------------
Dynamic NFS Clients
identifier: dyn-obj
15.0.0.63

Vsys-based instance of shared dynamic address objects in vsys vsys1

Successful NFS Access

Finally, the NFS connection is attempted again:

warby@ServerC:~$ sudo mount -t nfs4 -o proto=tcp,port=2049 15.0.0.61:/ /mnt

warby@ServerC:~$ ll -h /mnt/share
total 106M
drwxrwxr-x 2 warby warby 4.0K 2012-05-16 12:33 ./
drwxrwxrwx 3 warby warby 4.0K 2012-05-10 14:42 ../
-rw-rw-r-- 1 warby warby 100M 2012-05-16 12:33 bigfile
-rw-r--r-- 1 warby warby 5.4M 2012-05-16 12:17 Shakespeare.txt

Now that the IP address for Server C is registered, the Allow NFS to server security rule applies and the traffic is allowed.

Dynamic Address Objects via Panorama

Dynamic Address Objects can be configured and pushed to the managed Devices via Panorama. Panorama pushes these
objects to the Devices via a Device Group commit. Once these objects are pushed to Devices, populating the dynamic objects
with IP addresses can be achieved via Panorama as well. When Panorama is used to populate Dynamic objects on the
Device, Panorama acts a proxy and forwards the request to the device. No commit is required from Panorama.

There are several advantages to this approach

1) Single point of administration Administrators do not have to access each individual device to configure and
populate these objects.

2) Simplified key management If not using Panorama, allowing specific administrators the privilege to populate the
dynamic address objects on the devices first requires touching each firewall and then generating an authentication

2012, Palo Alto Networks, Inc. [9]

 key to authenticate with each firewall. Creating and managing these keys when the customer is managing many
firewalls can be a very time consuming and overwhelming task.

3) Less management overhead - There is no need to create and replicate administrator accounts across all the managed
firewalls to populate dynamic address objects.

4) Less risk of Misconfigurations - Having one central administrator lowers the risk of misconfigurations.

Test Topology
In this topology, Panorama is configured at 10.2.133.50 and is managing Devices D1 and D2. We will configure dynamic
address objects under a device group in Panorama and push it to the Device D1. We will then use Panorama as proxy to
populate the dynamic address objects on the Device D1 with IP addresses using a wget script.

Configuration Details
Configure Dynamic address objects
Configure a new Dynamic Address object in Panorama under objects tab. Select the object type Dynamic and give an
Identifier to the object. This Identifier is used in the XML call. Hence, it must be unique.

Populate Dynamic address objects

Use the XML API to populate Dynamic Address Objects on the Device via Panorama. Here are the steps involved.

https://<IP>/api/?type=user-id&action=set&key=<KEY>=&file-name=<XMLFILE>&target=<device_serial_no>

Where IP is the IP address of Panorama, KEY is the pre-generated key for the Panorama server and XMLFILE is the name
of the XML file that contains the Identifiers and their addresses. And target is the serial number of the Device. You can only
populate addresses to one device at a time.

The following wget command can be used to populate dynamic address objects with IP addresses on the firewall (device)
with serial no 0008C100105.

/usr/bin/wget --no-check-certificate --post-file config.xml https://10.2.133.50/api/?type=user-

id&action=set&key=LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09&file
-name=<config.xml>&client=wget&target=0008C100105 --no-http-keep-alive -O output

The texts highlighted in blue are the moving parts of the wget script, which are explained in detailed below.

config.xml This is the name of the XML file that contains identifiers and their addresses. It is referenced twice.

10.2.133.50 This is the Panorama servers IP. Please replace this with your Panorama servers management IP address

Key Prior to using this script, you must generate an API key, which will be used for authenticating the API calls.

2012, Palo Alto Networks, Inc. [10]

Target= Target firewalls (device) serial number

You can manage all the identifiers and addresses across all your Devices in one XML file. However, your script should have
a unique API call for each device that is being managed by Panorama. Each call will be same except the serial number field,
which is unique for every firewall.

Recommendations
We recommend creating and pushing the Dynamic Address Objects across all the firewalls in your environment managed by
Panorama. However, you only populate the objects that are relevant to a particular firewall. Since all the objects are going
to be available on the devices, it is necessary that you create these objects with unique identifiers.

Firewalls Dynamic Objects Dynamic Objects with IP addresses

D1 dyn-object1 dyn-object1 : 10.5.1.10
dyn-object2 dyn-object2 :
D2 dyn-object1 dyn-object1 :
dyn-object2 dyn-object2 : 10.5.1.11

Troubleshooting
In addition to the show object dynamic-address-object all command, you can use the following commands to get more
information about the API calls:

debug user-id on debug

debug user-id set userid all
tail follow yes mp-log useridd.log

Below is a sample of the useridd.log output during a dynamic address object register:

Mar 05 19:52:38 cfgagent_opcmd_callback(pan_cfgagent.c:364): useridd: cfg agent received op command

from server
Mar 05 19:52:38 cfgagent_doop_callback(pan_cfgagent.c:398): received sigal to execute <operations
xml="yes" type="union" handler="set_userid_data" vsys="vsys1"><set type="union"><user-id
type="sequence"><data type="string"><![CDATA[
<uid-message>
<version>1.0</version>
<type>update</type>
<payload>
<register>
<entry identifier="C-PG" ip="15.0.0.63"/>
</register>
</payload>
</uid-message>

]]></data></user-id></set></operations>
Mar 05 19:52:38 pan_user_id_xmlapi_dynobj_proc(pan_user_id_xmlapi.c:205): register 15.0.0.63 for id
C-PG from xml api
Mar 05 19:52:38 pan_dynobj_add_obj(pan_dyn_obj.c:205): add obj C-PG in vsys 1
Mar 05 19:52:38 pan_dynobjs_save(pan_dyn_obj.c:764): save dynamic object file
'/opt/pancfg/mgmt/global/dynobj/dynobj.xml'
Mar 05 19:52:38 pan_dynobjs_redist_save_vsys(pan_dyn_obj.c:594): save dynamic object file
'/opt/pancfg/mgmt/global/dynobj/1.xml'
Mar 05 19:52:38 pan_dynobj_notify_modified(pan_dyn_obj.c:929): dynobj-modified notified to other
daemons as: true
Mar 05 19:52:38 pan_dynobj_dnld(pan_dyn_obj.c:955): save 16 dynamic objects with 50 ip takes 0
seconds

2012, Palo Alto Networks, Inc. [11]

Turn off the User-ID debug with:

debug user-id off

Revision History
Date Revision Comment
March 6, 2013 B New section named Dynamic Address Objects via
Panorama added.
Added syntax for an API call to a multi-vsys target.
Expanded the Dynamic Objects maximums table to
include total maximum objects by platform.
Added a section on using Panorama to proxy dynamic
address object API calls.
Added a section on troubleshooting, which highlights
new debug commands.

2012, Palo Alto Networks, Inc. [12]