Palo Alto Networks Firewall Integration - Policy Group Derived Dynamic Address Groups (DAG)

Introduction and Use Cases

Dynamic Address Groups (DAGs) are a cornerstone of Palo Alto Networks Firewall policy management, enabling security rules to dynamically adapt to changes in network conditions. This feature is essential for modern environments where devices, IPs, and contexts shift rapidly or may be unknown during initial policy creation. However, manually configuring and managing DAGs can introduce complexity and operational overhead.

Elisity addresses this challenge by integrating directly with Palo Alto Networks Firewalls to publish DAGs derived from Policy Groups (PGs). This integration offers organizations the ability to:

  • Seamlessly translate Policy Groups (PGs) into DAGs, ensuring firewall policies reflect real-time asset classification.
  • Automate and abstract the complexity of firewall management, by dynamically updating DAGs using Elisity's IdentityGraph for asset classification.
  • Enhance visibility and control, bridging the gap between access layer infrastructure and perimeter defenses. Give your firewalls the context and visibility of your access layer infrastructure.

Key Use Cases

This capability is particularly beneficial in scenarios such as:

  • Environments Without Centralized Management: For organizations without Panorama, this solution provides an efficient alternative by delivering DAGs directly to firewalls.

  • Unifying Access Layer Segmentation with Firewall Policies: By aligning DAGs with Policy Groups, organizations can ensure their firewall policies are informed by the most current segmentation data from the Elisity platform.

  • Simplified Firewall Management: Automating DAG updates reduces manual configuration efforts, eliminates errors, and simplifies the operational complexity of managing firewalls at scale.

  • Achieving a Unified Security Strategy: This integration aligns segmentation efforts across network layers, ensuring consistent enforcement of policies and enhancing the overall security posture.

This integration is designed to simplify firewall management while providing organizations with a powerful tool for dynamic and adaptive security. In the following sections, we’ll explore how to configure and deploy this feature, ensuring optimal performance and alignment with your segmentation strategy.

 


Integration Details 

The integration between Elisity’s segmentation platform and Palo Alto Networks Firewalls leverages Dynamic Address Groups (DAGs) to dynamically enforce security policies. By aligning DAGs with Policy Groups (PGs) defined in Elisity’s platform, this solution ensures that firewall rules remain current and reflect real-time changes in network segmentation.

Core Workflow

  1. Policy Groups in Elisity: Devices, users, and endpoints are assigned to Policy Groups based on identity, behavior, and network context.
  2. Mapping to DAGs: The Elisity platform maps these Policy Groups to DAGs, which are dynamically updated and pushed to Palo Alto Networks Firewalls.
  3. Firewall Policy Enforcement: The DAGs are referenced in firewall security policies, enabling automated enforcement based on the most recent identity data.

This streamlined process eliminates the need for manual updates to firewall configurations, reducing administrative burden and improving the accuracy and consistency of security policies.

 

Additional Details

  • Real-Time Updates: Changes to Policy Groups in Elisity trigger updates to the corresponding Dynamic Address Groups on a near real-time basis
  • Dynamic Mapping: Automatic normalization of Policy Group names for compatibility with Palo Alto Networks naming conventions.
  • Scalable Using Elisity Virtual Edge: The integration efficiently handles environments with multiple firewalls by utilizing Virtual Edges to manage the distribution of DAGs, whether standalone VEs or VE Groups that offer high availability.

 

Resource Management and Scale Considerations

To ensure optimal performance, the integration uses Virtual Edges (VEs) to manage communication with the firewalls:

  • Dedicated VE Groups: Configuring a small, dedicated VE Group containing a maximum of TWO (2) Virtual Edges for firewall integration, which minimizes API session contention.
  • Scalable Architecture: The solution supports standalone VEs or VE groups, balancing simplicity and redundancy.

 


Prerequisites

Before integrating Palo Alto Networks Firewalls with Elisity’s segmentation platform to publish Dynamic Address Groups (DAGs), ensure the following prerequisites are met. These preparation steps are critical to a successful deployment and seamless operation.

 

Firewall Configuration Requirements

Dedicated User Credentials

Create a unique user account on the firewall for Elisity’s Virtual Edge (VE) nodes to use for API communication.

The account should have:

  • Superuser permissions: Required for full API functionality.
  • XML API access: To allow DAG updates and configuration commits.

Avoid sharing credentials with other services or administrators to maintain security and reduce conflicts.

Management Profile Setup

Configure the firewall’s management interface to allow HTTPS communication from the VE IPs. Ensure the appropriate IP addresses for the VE nodes are whitelisted under the firewall’s permitted IP settings.

Generate an API Key

Use the dedicated user credentials to generate an API key. This key will authenticate the Elisity platform’s requests to the firewall.
API key generation can be done via the Palo Alto Networks CLI or web interface.
With the username and password for the account to be used by the VEs, log into the firewall to retrieve the API in the following manner/url, changing the relevant information as needed:
  • Firewall IP Address
  • Username (shown in example as veusername)
  • Password (shown in example as vepassword)
https://192.168.1.1/api/?type=keygen&user=veusername&password=vepassword
If correct, you should see something similar to the following:
 <response status="success">
<result>
<key>
LUFRPT1LSXduVStJanRobnU5eVl2K3c1TFNhZEFZSUE9aFVmWTRZRXBiMUxlMmpiRGxrb1BxT2VGcTY5aGxYOS8rWnZDMlVLMVArRFpMTERuRnlKYlI4eU4zUElheDRLVw==
</key>
</result>
</response>

 

Preparations in Cloud Control Center

Virtual Edge (VE) Nodes

  • Deploy one or more VEs configured to manage communication with the Palo Alto Networks Firewall.
  • For redundancy:
    1. Use a VE group with up to two nodes.
    2. Ensure both VEs in the group are reachable by the firewall.
  • VE nodes should be on version 16.4 or later to support this feature.

Policy Groups (PGs)

  • Define and configure Policy Groups in the Elisity platform.
  • Ensure the PGs reflect the intended segmentation logic, as these will be translated into DAGs.

 

Network Requirements

  1. Connectivity:

    • Verify network connectivity between the Elisity VE nodes and the firewall’s management interface.
    • Ensure HTTPS traffic is not blocked by firewalls or ACLs along the communication path.
  2. API Session Limits:

    • Palo Alto Networks Firewalls support a maximum of five concurrent API sessions. Limit VE groups to one or two VEs to prevent resource contention.

 

Validation Checklist

Before proceeding with onboarding:

Dedicated firewall user account created with superuser and XML API permissions.

API key generated and tested for authentication.

VE nodes deployed and configured for integration.

Firewall management profile updated to allow VE communication.

Policy Groups reviewed and aligned with the intended DAG mappings.

Once these prerequisites are in place, the next step is to onboard the firewalls into the Elisity platform. The following section will guide you through the onboarding process.

 


Onboarding Firewalls

This section guides you through the process of onboarding Palo Alto Networks Firewalls to the Elisity platform. By completing this setup, the firewalls can receive Dynamic Address Groups (DAGs) directly from the Elisity platform, enabling dynamic and automated policy enforcement.

Step 1: Create a Firewall Integration VE Group

Log in to the Elisity Cloud Control Center (CCC) and navigate to the Virtual Edge dashboard. Select or create a dedicated VE group for managing the Palo Alto Networks Firewall. Ensure this group contains one or two (max) VEs for optimal performance and redundancy. Assign the VE group to the intended Distribution Zone or the Global Distribution Zone.

 

Step 2: Open the Firewall Integration Workflow

Select the "Firewall Integration" workflow card within the CCC interface. This workflow is designed to streamline the onboarding process specifically for Palo Alto Networks Firewalls.

Provide the following information for each firewall:

  • Firewall IP Address: Enter the management IP of the firewall.
  • Username: Enter the username of the superadmin account that will be used on the firewall.
  • API Key*: Paste the API key generated using the dedicated firewall user credentials.
  • Description (optional): Provide a few words as a description to help identify the VEN.

* Generating the API key can be performed by following Palo Alto Networks documentation or by using the following URL:

https://<FIREWALL_IP>/api/?type=keygen&user=<USERNAME>&password=<PASSWORD>

Replace <FIREWALL_IP>, <USERNAME>, and <PASSWORD> with the appropriate values.

You will be redirected to a web page with the API Key, where you can copy and paste as seen here:

Step 3: Assign Policy Groups to DAGs

In the Policy Group Mapping section:

Select the Policy Groups (PGs) you want to map to DAGs on the firewall.

Choose either:

  • All PGs: Map all Policy Groups to the firewall.
  • Specific PGs: Select individual PGs to map.

The interface will display the total number of IP addresses being sent to the firewall, helping you ensure resource constraints are not exceeded. 

Note: Be sure not to exceed the limitations of the platform where you are pushing entries (ie. 5000 entries for select Palo Alto Networks Firewalls)

 

Step 4: Commit Configuration

Once all details are filled in, click Add to onboard the firewall.

The Elisity platform will:

  • Normalize Policy Group names to comply with Palo Alto Networks naming conventions, and prepend Elisity_<group-tag-value>_ to the PG name.
  • Push the Policy Group to Dynamic Address Group configuration to the firewall.
    rename of the DAG on the firewall.
  • A notification will indicate whether the commit succeeded or failed (Alerts)

 

Step 5: Post-Onboarding Validation

Verify in the Firewall Interface

Log in to the Palo Alto Networks Firewall web interface.

Navigate to the Objects > Address Groups section.

Confirm that the expected DAGs have been created and reflect the Policy Group mappings. Notice that Elisity_<group-tag-value>_ has been prepended to the normalized Policy Group name.

Test Connectivity: Validate that the firewall is correctly communicating with the VE nodes. Check that changes in Policy Groups within the Elisity platform dynamically update the corresponding DAGs on the firewall.

Monitor Commit Status: Use the CCC interface to review the commit logs. Ensure that subsequent Policy Group changes trigger updates to the DAGs without errors.

NOTE:

Palo Alto Networks firewalls will not populate the DAG with IP addresses learned from Elisity unless the DAG is referenced in an active security policy rule on the firewall.

 

Mapping Policy Groups to DAGs

Once your Palo Alto Networks Firewalls are onboarded, you can configure and manage how Policy Groups (PGs) in the Elisity platform are mapped to Dynamic Address Groups (DAGs) on the firewall. This mapping ensures that the segmentation data in Elisity directly informs the firewall's policies, enabling automated and dynamic security enforcement.

 

Mapping Policy Groups

The Elisity platform provides a simple interface for mapping PGs to DAGs. This process involves the following steps:

1. Access Policy Group Mapping

Navigate to the Firewall Settings in the CCC interface. Select the onboarded firewall where you want to configure mappings.

2. Choose Policy Groups

In the mapping section, select the Policy Groups to be sent to the firewall:

  • Select All PGs: Automatically maps all Policy Groups in the Elisity platform to DAGs on the firewall.
  • Multi-Select Specific PGs: Choose one or more PGs for targeted DAG mapping.
The interface will display the total number of devices and IP addresses included in the selected Policy Groups. This count helps prevent exceeding firewall resource limits.
Empty PGs, if mapped, will be sent to the firewall to allow for policy to be created without any devices online, if required.

3. Review and Commit

Once the desired Policy Groups are selected, click Assign to initiate the mapping. The Elisity platform will normalize Policy Group names to align with Palo Alto Networks naming conventions. Changes will be pushed to the firewall, and a commit operation will be performed. Notifications will indicate whether the operation was successful or if there were any errors.

 

Dynamic Updates

The integration automatically updates DAGs when changes occur in the corresponding Policy Groups. For example:

  • Adding Devices to a PG: New devices added to a Policy Group in Elisity are dynamically included in the DAG on the firewall.
  • Removing Devices from a PG: Devices removed from a Policy Group are removed from the DAG, ensuring policies remain up-to-date.

 

Guardrails for Safe Operations

Commit Restrictions: The Elisity platform performs partial commits on the firewall, scoped to the changes initiated by the integration. This approach minimizes impact on unrelated configurations.

Policy Dependency Warnings: If a DAG is being used in a firewall policy and you attempt to remove its mapping, the Elisity platform will log the conflict and prevent the DAG from being deleted until the dependency is addressed.

Address Count Visualization: Before committing changes, the platform displays the total number of devices/IPs in the selected Policy Groups. This guardrail ensures you can avoid exceeding the capacity of your firewall’s DAG state table.

 

Managing Changes

These are the behaviors to expect in Cloud Control Center when updating or modifying Policy Group mappings.

Adding New PGs: Select and assign the new PGs using the same workflow. The platform will push the changes and update the firewall DAGs accordingly.

Removing PGs: De-select the PGs to be removed. The platform will:

  1. Attempt to delete the DAG from the firewall.
  2. Log a warning if the DAG is in use by an active policy.

Renaming PGs: Changes to PG names are automatically normalized and reflected in the firewall DAGs without manual intervention. A new DAG will be added to the firewall, and Elisity will attempt to remove the DAG with the old name.

 

Best Practices

To maximize the benefits of integrating Palo Alto Networks Firewalls with Elisity and ensure smooth operation, follow these best practices for configuration, monitoring, and ongoing management.

Configuration Recommendations

Use Dedicated VE Groups for Firewall Integration: Configure a VE group specifically for managing communication with the firewalls. Limit the group to a maximum of two VEs to minimize API resource contention and ensure redundancy.

Optimize Policy Group Selection: Review and refine Policy Groups to ensure they align with your security goals. Avoid selecting excessive or unnecessary PGs to prevent overloading the firewall’s DAG capacity.

Regularly Review Resource Limits: Be mindful of the firewall’s limitations, such as the maximum number of DAG entries and API session constraints. Use the address count visualization in the CCC interface to monitor the number of devices being sent to DAGs.

 

Monitoring and Troubleshooting

Track Commit Logs: Use the CCC interface to review commit logs for success or failure notifications. Investigate any failed commits to identify and resolve potential issues promptly.

Monitor Connectivity: Ensure consistent communication between the VE nodes and the firewall. Periodically validate HTTPS access to the firewall’s management interface from the VEs.

Test Policy Effectiveness: Perform regular tests to confirm that DAG updates are reflected accurately in firewall policies. Validate that segmentation changes in Elisity trigger corresponding updates to the DAGs.

 

Integrating Palo Alto Networks Firewalls with Elisity’s segmentation platform simplifies firewall management, aligns policies with real-time segmentation, and enhances security across the network. By dynamically mapping Policy Groups to DAGs, this solution automates updates and reduces operational complexity, ensuring that your security policies stay current with minimal manual intervention.

Was this article helpful?
1 out of 1 found this helpful