Professional Documents
Culture Documents
Tech Note
PAN-OS 5.0
It is not practical to require a security policy update followed by a configuration commit every time there is a server change.
To solve this problem, PAN-OS 5.0 include a new feature called Dynamic Address Objects. Dynamic Address Objects are a
new address object type that can be updated using the XML API. They can be referenced in security policies and when
changes are made, a configuration commit is not required.
Use Case
One example where Dynamic Address Objects are particularly useful is in a virtual data center. Sometimes zone based
security policies are not granular enough in a virtual data center and IP based policy is required. If a server moves within a
data center (or to a neighboring data center) and is located behind a new firewall, the new firewall will need an update to its
security policy. Using Dynamic Address Objects in this scenario will allow the firewall at the new location to continue to
provide security for the server without having to commit a configuration change.
Configuration Details
Configuring a new Dynamic Address Object
The new address object type Dynamic Address Object is listed with the other object types IP Netmask, IP Range, and
FQDN. To create a dynamic address object, go to the Objects tab and select Addresses on the left:
Select Add and give the dynamic address object a name. Under Type, choose Dynamic.
Give the new object an identifier. This identifier will be used in the XML call and must be unique.
It is important to note, IP addresses cannot be added to a dynamic address object in the WebUI or the CLI. IP address
cannot be removed from a dynamic address object using the WebUI. All IP addresses (in one or all Dynamic Address
Objects) can be removed using the CLI but this cannot be done selectively.
The entries in a dynamic address object do not show up in the configuration but they can be viewed using the CLI (see
below.) Also, the entries of a dynamic address object will survive a reboot.
XML API
To add a new entry to a dynamic address object, use the following XML API syntax:
Where IP is the IP address of the firewall under management, KEY is the pre-generated key for the PAN-OS firewall and
XMLFILE is the name of the XML file with the needed additions and/or deletions for the dynamic address object.
The XML file must have the following format for adding new IP addresses to an existing object:
<uid-message>
<version>1.0</version>
<type>update</type>
<payload>
<register>
<entry identifier=OBJECT ID" ip="IP"/>
</register>
</payload>
</uid-message>
Multiple additions can be made to the same object or to multiple objects in one API call by adding them to the same XML
file:
<uid-message>
<version>1.0</version>
<type>update</type>
<payload>
<register>
<entry identifier=OBJECT ID 1" ip="IP1"/>
<entry identifier=OBJECT ID 1" ip="IP2"/>
<entry identifier=OBJECT ID 2" ip="IP3"/>
</register>
</payload>
</uid-message>
<uid-message>
<version>1.0</version>
<type>update</type>
<payload>
<unregister>
<entry identifier=OBJECT ID 1" ip="IP1"/>
<entry identifier=OBJECT ID 1" ip="IP2"/>
<entry identifier=OBJECT ID 2" ip="IP3"/>
</unregister>
</payload>
</uid-message>
CLI Commands
To view the current contents of a dynamic object, use the following command:
To remove all entries of all Dynamic Address Objects or for one dynamic address object:
The id above is the identifier that was created when the Dynamic Address Object was configured. When an object is
refreshed (new IPs are registered or old IPs are unregistered) you will see a new task called AddrObjRefresh:
You can monitor the AddrObjRefresh task to see the completion status of a dynamic address object update.
Demonstration Topology
The attempt fails. There is a policy to allow it but it requires the source address to match the NFS Clients address group
and the IP for server C (15.0.0.63) has not been registered yet.
Now that the IP address for Server C is registered, the Allow NFS to server security rule applies and the traffic is allowed.
1) Single point of administration Administrators do not have to access each individual device to configure and
populate these objects.
2) Simplified key management If not using Panorama, allowing specific administrators the privilege to populate the
dynamic address objects on the devices first requires touching each firewall and then generating an authentication
3) Less management overhead - There is no need to create and replicate administrator accounts across all the managed
firewalls to populate dynamic address objects.
4) Less risk of Misconfigurations - Having one central administrator lowers the risk of misconfigurations.
Test Topology
In this topology, Panorama is configured at 10.2.133.50 and is managing Devices D1 and D2. We will configure dynamic
address objects under a device group in Panorama and push it to the Device D1. We will then use Panorama as proxy to
populate the dynamic address objects on the Device D1 with IP addresses using a wget script.
Configuration Details
Configure Dynamic address objects
Configure a new Dynamic Address object in Panorama under objects tab. Select the object type Dynamic and give an
Identifier to the object. This Identifier is used in the XML call. Hence, it must be unique.
https://<IP>/api/?type=user-id&action=set&key=<KEY>=&file-name=<XMLFILE>&target=<device_serial_no>
Where IP is the IP address of Panorama, KEY is the pre-generated key for the Panorama server and XMLFILE is the name
of the XML file that contains the Identifiers and their addresses. And target is the serial number of the Device. You can only
populate addresses to one device at a time.
The following wget command can be used to populate dynamic address objects with IP addresses on the firewall (device)
with serial no 0008C100105.
The texts highlighted in blue are the moving parts of the wget script, which are explained in detailed below.
config.xml This is the name of the XML file that contains identifiers and their addresses. It is referenced twice.
10.2.133.50 This is the Panorama servers IP. Please replace this with your Panorama servers management IP address
Key Prior to using this script, you must generate an API key, which will be used for authenticating the API calls.
You can manage all the identifiers and addresses across all your Devices in one XML file. However, your script should have
a unique API call for each device that is being managed by Panorama. Each call will be same except the serial number field,
which is unique for every firewall.
Recommendations
We recommend creating and pushing the Dynamic Address Objects across all the firewalls in your environment managed by
Panorama. However, you only populate the objects that are relevant to a particular firewall. Since all the objects are going
to be available on the devices, it is necessary that you create these objects with unique identifiers.
Troubleshooting
In addition to the show object dynamic-address-object all command, you can use the following commands to get more
information about the API calls:
Below is a sample of the useridd.log output during a dynamic address object register:
]]></data></user-id></set></operations>
Mar 05 19:52:38 pan_user_id_xmlapi_dynobj_proc(pan_user_id_xmlapi.c:205): register 15.0.0.63 for id
C-PG from xml api
Mar 05 19:52:38 pan_dynobj_add_obj(pan_dyn_obj.c:205): add obj C-PG in vsys 1
Mar 05 19:52:38 pan_dynobjs_save(pan_dyn_obj.c:764): save dynamic object file
'/opt/pancfg/mgmt/global/dynobj/dynobj.xml'
Mar 05 19:52:38 pan_dynobjs_redist_save_vsys(pan_dyn_obj.c:594): save dynamic object file
'/opt/pancfg/mgmt/global/dynobj/1.xml'
Mar 05 19:52:38 pan_dynobj_notify_modified(pan_dyn_obj.c:929): dynobj-modified notified to other
daemons as: true
Mar 05 19:52:38 pan_dynobj_dnld(pan_dyn_obj.c:955): save 16 dynamic objects with 50 ip takes 0
seconds
Revision History
Date Revision Comment
March 6, 2013 B New section named Dynamic Address Objects via
Panorama added.
Added syntax for an API call to a multi-vsys target.
Expanded the Dynamic Objects maximums table to
include total maximum objects by platform.
Added a section on using Panorama to proxy dynamic
address object API calls.
Added a section on troubleshooting, which highlights
new debug commands.