Introduction and Use Cases
Dynamic Address Groups (DAGs) are a cornerstone of Palo Alto Networks Firewall policy management, enabling security rules to dynamically adapt to changes in network conditions. This feature is essential for modern environments where devices, IPs, and contexts shift rapidly or may be unknown during initial policy creation. However, manually configuring and managing DAGs can introduce complexity and operational overhead.
Elisity addresses this challenge by integrating directly with Palo Alto Networks Firewalls to publish DAGs derived from Policy Groups (PGs). This integration offers organizations the ability to:
- Seamlessly translate Policy Groups (PGs) into DAGs, ensuring firewall policies reflect real-time asset classification.
- Automate and abstract the complexity of firewall management, by dynamically updating DAGs using Elisity's IdentityGraph for asset classification.
- Enhance visibility and control, bridging the gap between access layer infrastructure and perimeter defenses. Give your firewalls the context and visibility of your access layer infrastructure.
Key Use Cases
This capability is particularly beneficial in scenarios such as:
-
Environments Without Centralized Management: For organizations without Panorama, this solution provides an efficient alternative by delivering DAGs directly to firewalls.
-
Unifying Access Layer Segmentation with Firewall Policies: By aligning DAGs with Policy Groups, organizations can ensure their firewall policies are informed by the most current segmentation data from the Elisity platform.
-
Simplified Firewall Management: Automating DAG updates reduces manual configuration efforts, eliminates errors, and simplifies the operational complexity of managing firewalls at scale.
-
Achieving a Unified Security Strategy: This integration aligns segmentation efforts across network layers, ensuring consistent enforcement of policies and enhancing the overall security posture.
This integration is designed to simplify firewall management while providing organizations with a powerful tool for dynamic and adaptive security. In the following sections, we’ll explore how to configure and deploy this feature, ensuring optimal performance and alignment with your segmentation strategy.
Integration Details
The integration between Elisity’s segmentation platform and Palo Alto Networks Firewalls leverages Dynamic Address Groups (DAGs) to dynamically enforce security policies. By aligning DAGs with Policy Groups (PGs) defined in Elisity’s platform, this solution ensures that firewall rules remain current and reflect real-time changes in network segmentation.
Core Workflow
- Policy Groups in Elisity: Devices, users, and endpoints are assigned to Policy Groups based on identity, behavior, and network context.
- Mapping to DAGs: The Elisity platform maps these Policy Groups to DAGs, which are dynamically updated and pushed to Palo Alto Networks Firewalls.
- Firewall Policy Enforcement: The DAGs are referenced in firewall security policies, enabling automated enforcement based on the most recent identity data.
This streamlined process eliminates the need for manual updates to firewall configurations, reducing administrative burden and improving the accuracy and consistency of security policies.
Additional Details
- Real-Time Updates: Changes to Policy Groups in Elisity trigger updates to the corresponding Dynamic Address Groups on a near real-time basis
- Dynamic Mapping: Automatic normalization of Policy Group names for compatibility with Palo Alto Networks naming conventions.
- Scalable Using Elisity Virtual Edge: The integration efficiently handles environments with multiple firewalls by utilizing Virtual Edges to manage the distribution of DAGs, whether standalone VEs or VE Groups that offer high availability.
Resource Management and Scale Considerations
To ensure optimal performance, the integration uses Virtual Edges (VEs) to manage communication with the firewalls:
- Dedicated VE Groups: Configuring a small, dedicated VE Group containing a maximum of TWO (2) Virtual Edges for firewall integration, which minimizes API session contention.
- Scalable Architecture: The solution supports standalone VEs or VE groups, balancing simplicity and redundancy.
Prerequisites
Before integrating Palo Alto Networks Firewalls with Elisity’s segmentation platform to publish Dynamic Address Groups (DAGs), ensure the following prerequisites are met. These preparation steps are critical to a successful deployment and seamless operation.
Firewall Configuration Requirements
Dedicated User Credentials
Create a unique user account on the firewall for Elisity’s Virtual Edge (VE) nodes to use for API communication.
The account should have:
- Superuser permissions: Required for full API functionality.
- XML API access: To allow DAG updates and configuration commits.
Avoid sharing credentials with other services or administrators to maintain security and reduce conflicts.
Management Profile Setup
Configure the firewall’s management interface to allow HTTPS communication from the VE IPs. Ensure the appropriate IP addresses for the VE nodes are whitelisted under the firewall’s permitted IP settings.
Generate an API Key
- Firewall IP Address
- Username (shown in example as veusername)
- Password (shown in example as vepassword)
https://192.168.1.1/api/?type=keygen&user=veusername&password=vepassword
<response status="success">
<result>
<key>
LUFRPT1LSXduVStJanRobnU5eVl2K3c1TFNhZEFZSUE9aFVmWTRZRXBiMUxlMmpiRGxrb1BxT2VGcTY5aGxYOS8rWnZDMlVLMVArRFpMTERuRnlKYlI4eU4zUElheDRLVw==
</key>
</result>
</response>
Preparations in Cloud Control Center
Virtual Edge (VE) Nodes
- Deploy one or more VEs configured to manage communication with the Palo Alto Networks Firewall.
- For redundancy:
- Use a VE group with up to two nodes.
- Ensure both VEs in the group are reachable by the firewall.
- VE nodes should be on version 16.4 or later to support this feature.
Policy Groups (PGs)
- Define and configure Policy Groups in the Elisity platform.
- Ensure the PGs reflect the intended segmentation logic, as these will be translated into DAGs.
Network Requirements
-
Connectivity:
- Verify network connectivity between the Elisity VE nodes and the firewall’s management interface.
- Ensure HTTPS traffic is not blocked by firewalls or ACLs along the communication path.
-
API Session Limits:
- Palo Alto Networks Firewalls support a maximum of five concurrent API sessions. Limit VE groups to one or two VEs to prevent resource contention.
Validation Checklist
Before proceeding with onboarding:
Dedicated firewall user account created with superuser and XML API permissions.
API key generated and tested for authentication.
VE nodes deployed and configured for integration.
Firewall management profile updated to allow VE communication.
Policy Groups reviewed and aligned with the intended DAG mappings.
Once these prerequisites are in place, the next step is to onboard the firewalls into the Elisity platform. The following section will guide you through the onboarding process.
Onboarding Firewalls
This section guides you through the process of onboarding Palo Alto Networks Firewalls to the Elisity platform. By completing this setup, the firewalls can receive Dynamic Address Groups (DAGs) directly from the Elisity platform, enabling dynamic and automated policy enforcement.
Step 1: Create a Firewall Integration VE Group
Log in to the Elisity Cloud Control Center (CCC) and navigate to the Virtual Edge dashboard. Select or create a dedicated VE group for managing the Palo Alto Networks Firewall. Ensure this group contains one or two (max) VEs for optimal performance and redundancy. Assign the VE group to the intended Distribution Zone or the Global Distribution Zone.
Step 2: Start the Virtual Edge Node Onboarding Workflow
Click + Add Virtual Edge Node in the Virtual Edge Node tab. This will open up the Virtual Edge Node creation workflow.
Choose your Virtual Edge Group (the dedicated VE Group created earlier) and click Next.
Next, Select the firewall tile and choose Direct Firewall.
Provide the following information for each firewall:
- Firewall IP Address: Enter the management IP of the firewall.
- Username: Enter the username of the superadmin account that will be used on the firewall.
- API Key*: Paste the API key generated using the dedicated firewall user credentials.
- Description (optional): Provide a few words as a description to help identify the VEN.
* Generating the API key can be performed by following Palo Alto Networks documentation or by using the following URL:
https://<FIREWALL_IP>/api/?type=keygen&user=<USERNAME>&password=<PASSWORD>
Replace <FIREWALL_IP>, <USERNAME>, and <PASSWORD> with the appropriate values.
You will be redirected to a web page with the API Key, where you can copy and paste as seen here:
Click Next after adding configurations. On the next screen you can review all configurations before finalizing the deployment.
Step 3: Assign Policy Groups to DAGs
In the Policy Group Mapping section:
Select the Policy Groups (PGs) you want to map to DAGs on the firewall.
Choose either:
- All PGs: Map all Policy Groups to the firewall.
- Specific PGs: Select individual PGs to map.
The interface will display the total number of IP addresses being sent to the firewall, helping you ensure resource constraints are not exceeded.
Note: Be sure not to exceed the limitations of the platform where you are pushing entries (ie. 5000 entries for select Palo Alto Networks Firewalls)
Step 4: Commit Configuration
Once all details are filled in, click Add to onboard the firewall.
The Elisity platform will:
- Normalize Policy Group names to comply with Palo Alto Networks naming conventions, and prepend Elisity_<group-tag-value>_ to the PG name.
- Push the Policy Group to Dynamic Address Group configuration to the firewall.
Step 5: Post-Onboarding Validation
Verify in the Firewall Interface
Log in to the Palo Alto Networks Firewall web interface.
Navigate to the Objects > Address Groups section.
Confirm that the expected DAGs have been created and reflect the Policy Group mappings. Notice that Elisity_<group-tag-value>_ has been prepended to the normalized Policy Group name.
Test Connectivity: Validate that the firewall is correctly communicating with the VE nodes. Check that changes in Policy Groups within the Elisity platform dynamically update the corresponding DAGs on the firewall.
NOTE:
Palo Alto Networks firewalls will not populate the DAG with IP addresses learned from Elisity unless the DAG is referenced in an active security policy rule on the firewall.
Mapping Policy Groups to DAGs
Once your Palo Alto Networks Firewalls are onboarded, you can configure and manage how Policy Groups (PGs) in the Elisity platform are mapped to Dynamic Address Groups (DAGs) on the firewall. This mapping ensures that the segmentation data in Elisity directly informs the firewall's policies, enabling automated and dynamic security enforcement.
The Elisity platform provides a simple interface for mapping PGs to DAGs. This process involves the following steps:
1. Access Policy Group Mapping
Navigate to the Firewall Settings in the CCC interface. Select the onboarded firewall where you want to configure mappings.
2. Choose Policy Groups
In the mapping section, select the Policy Groups to be sent to the firewall:
- Select All PGs: Automatically maps all Policy Groups in the Elisity platform to DAGs on the firewall.
- Multi-Select Specific PGs: Choose one or more PGs for targeted DAG mapping.
3. Review and Save Changes
Once the desired Policy Groups are selected, click Save Changes to initiate the mapping. The Elisity platform will normalize Policy Group names to align with Palo Alto Networks naming conventions. Changes will be pushed to the firewall, and a commit operation will be performed. Notifications will indicate whether the operation was successful or if there were any errors.
The naming for each DAG pushed from Cloud Control Center is standardized as:
Elisity_<PG_ID>_policy_group_name
Dynamic Updates
The integration automatically updates DAGs when changes occur in the corresponding Policy Groups. For example:
- Adding Devices to a PG: New devices added to a Policy Group in Elisity are dynamically included in the DAG on the firewall.
- Removing Devices from a PG: Devices removed from a Policy Group are removed from the DAG, ensuring policies remain up-to-date.
Guardrails for Safe Operations
Commit Restrictions: The Elisity platform performs partial commits on the firewall, scoped to the changes initiated by the integration. This approach minimizes impact on unrelated configurations.
Address Count Visualization: Before committing changes, the platform displays the total number of devices/IPs in the selected Policy Groups. This guardrail ensures you can avoid exceeding the capacity of your firewall’s DAG state table.
Managing Changes
These are the behaviors to expect in Cloud Control Center when updating or modifying Policy Group mappings.
Adding New PGs: Select and assign the new PGs using the same workflow. The platform will push the changes and update the firewall DAGs accordingly.
Removing PGs: De-select the PGs to be removed. The platform will:
- Attempt to delete the DAG from the firewall.
- Log a warning if the DAG is in use by an active policy.
Note: If attempting to delete a Policy Group that is being leveraged by any Firewall or Panorama Integration as a Dynamic Address Group, a notification will be displayed that warns the user that any DAGs pushed to Firewalls will not be removed upon deletion of the PG.
Renaming PGs: Changes to PG names are automatically normalized and reflected in the firewall DAGs without manual intervention. A new DAG will be added to the firewall, and Elisity will attempt to remove the DAG with the old name.
Best Practices
To maximize the benefits of integrating Palo Alto Networks Firewalls with Elisity and ensure smooth operation, follow these best practices for configuration, monitoring, and ongoing management.
Configuration Recommendations
Use Dedicated VE Groups for Firewall Integration: Configure a VE group specifically for managing communication with the firewalls. Limit the group to a maximum of two VEs to minimize API resource contention and ensure redundancy.
Optimize Policy Group Selection: Review and refine Policy Groups to ensure they align with your security goals. Avoid selecting excessive or unnecessary PGs to prevent overloading the firewall’s DAG capacity.
Regularly Review Resource Limits: Be mindful of the firewall’s limitations, such as the maximum number of DAG entries and API session constraints. Use the address count visualization in the CCC interface to monitor the number of devices being sent to DAGs.
Policy Group Usage Visibility in Palo Alto Security Rules
When Policy Groups are published to Palo Alto Networks firewalls as Dynamic Address Groups (DAGs), their usage within firewall security rules can be viewed directly from the associated Virtual Edge Node (VEN) in Cloud Control Center.
For direct firewall integrations, the left panel displays the Policy Groups assigned to the VEN. The security rules table lists all rules on the associated firewall that reference those DAGs. Each row includes a timestamp indicating when the rules were last retrieved. Rules no longer present on the firewall are automatically removed during the next update cycle.
In Panorama-managed environments, Policy Groups are shown grouped under their assigned Device Groups. The corresponding firewalls and their security rules are displayed per device group. Rules that reference multiple DAGs (e.g., in both source and destination fields) are displayed under each relevant Policy Group for clarity. The left panel supports expandable views per device group, and all columns in the rules table support standard filtering, global search, and list-style expansion for multi-value fields.
Firewall rules are refreshed at a configurable interval, and the most recent update time is shown in the "Last Update" column. This ensures administrators have a current view of how identity-driven segmentation policies are enforced within the firewall infrastructure.
Note: Visibility from the VEN view is currently supported. Viewing policy group usage across all firewalls from the Policy Group details page is not yet available.