Dynamic Address Groups (DAGs) are essential for Palo Alto Networks policy management, allowing firewall rules to dynamically adapt to changes in network conditions. Elisity's integration now supports Panorama, providing centralized management of DAGs across multiple Palo Alto Networks firewalls.
Key Benefits of Panorama Integration
- Centralized Security Management: Instead of configuring individual firewalls, Panorama acts as a single control plane, ensuring consistency.
- Automated Security Updates: DAGs dynamically update based on Policy Groups (PGs) defined in the Elisity platform.
- Scalability & Efficiency: Synchronization to all firewalls from Panorama eliminates manual configuration effort.
Integration Workflow
- Policy Groups in Elisity: Devices, users, and endpoints are assigned to PGs based on identity and behavior.
- Mapping to DAGs: PGs are converted into DAGs and published to Panorama.
- Panorama Polling for Device Groups: Instead of pushing DAGs directly to a predefined Shared Device Group, Elisity queries Panorama for all Device Groups under 'Shared'.
- DAG Synchronization: Retrieved Device Groups are updated with DAG entries to ensure all managed firewalls receive the correct data.
- Tag Distribution: DAGs require IP-TAG redistribution for their values to be recognized and applied on managed firewalls.
- Firewall Policy Enforcement: DAGs in Panorama are referenced in security policies for automated enforcement.
Prerequisites
Before proceeding, ensure the following prerequisites are handled:
-
Panorama Configuration
- Enable DAGs within Panorama.
Note: Panorama HA is not currently supported. - Ensure Panorama is configured to manage the intended firewalls.
- Configure User-ID Redistribution to allow tag propagation to firewalls.
- Enable DAGs within Panorama.
-
Firewall Configuration
-
DAGs will not show any entries under Objects -> Address Groups until they are referenced in a Security Policy.
-
Verify IP-Tag Redistribution settings to enable DAG updates.
-
-
API Access & Credentials
- Dedicated Panorama admin user with API permissions.
- Generate an API key for Elisity integration.
Creating Dedicated User Credentials
Create a unique user account on the firewall for Elisity’s Virtual Edge (VE) nodes to use for API communication.
The account should have:
Superuser permissions: Required for full API functionality.
XML API access: To allow DAG updates and configuration commits.
Avoid sharing credentials with other services or administrators to maintain security and reduce conflicts.
Management Profile Setup
Configure the firewall’s management interface to allow HTTPS communication from the VE IPs. Ensure the appropriate IP addresses for the VE nodes are whitelisted under the firewall’s permitted IP settings.
Generate an API Key
- Firewall IP Address
- Username (shown in example as veusername)
- Password (shown in example as vepassword)
https://<FIREWALL_IP>/api/?type=keygen&user=<USERNAME>&password=<PASSWORD>
example:
https://192.168.1.1/api/?type=keygen&user=veusername&password=vepassword<response status="success">
<result>
<key>
LUFRPT1LSXduVStJanRobnU5eVl2K3c1TFNhZEFZSUE9aFVmWTRZRXBiMUxlMmpiRGxrb1BxT2VGcTY5aGxYOS8rWnZDMlVLMVArRFpMTERuRnlKYlI4eU4zUElheDRLVw==
</key>
</result>
</response>
Onboarding Panorama in Cloud Control Center (CCC)
Step 1: Create a Firewall Integration VE Group
Navigate to Virtual Edges and create a VE group dedicated for Panorama integration.
See our Virtual Edge Groups and Virtual Edge Deployment articles for steps on how create VE Groups and Virtual Edges.
Step 2: Deploy Panorama as a Virtual Edge Node
- Add a Virtual Edge Node to the previously created Virtual Edge Group using the Virtual Edge Node Wizard.
- Select the Firewall Integration workflow in CCC. Choose Panorama for the integration type.
-
Provide the following information for each firewall:
- Firewall IP Address: Enter the management IP of the firewall.
- Username: Enter the username of the superadmin account that will be used on the firewall.
- API Key*: Paste the API key generated using the dedicated firewall user credentials.
- Description (optional): Provide a few words as a description to help identify the VEN.
* Generating the API key can be performed by following Palo Alto Networks documentation or by using the following URL:
https://<FIREWALL_IP>/api/?type=keygen&user=<USERNAME>&password=<PASSWORD>Replace <FIREWALL_IP>, <USERNAME>, and <PASSWORD> with the appropriate values.
You will be redirected to a web page with the API Key, where you can copy and paste as seen here:
Note: The prerequisites section shows how to find the API Key for Panorama, as well as the requirements for the Admin Account.
Assigning Policy Groups as DAGs in Cloud Control Center
Elisity's integration with Panorama polls Panorama for Device Groups and allows Administrators in Cloud Control Center to selectively distribute Policy Groups to Device Groups in Panorama. Each Device Group in Panorama can have indepedent collections of Policy Group mappings, enabling flexible and precise control of how DAGs are populated. The process is as follows:
Elisity Polls Panorama for Device Groups
- CCC retrieves all Device Groups under 'Shared' from Panorama.
- These device groups are populated in Cloud Control Center in the details view of the Panorama VEN.
Add Policy Groups to be mapped to DAGs
- By default, no Policy Groups are sent. You must select which PGs you want to publish as DAGs within each Device Group by selecting the group on the left hand side and clicking + Add POLICY GROUPS in the top right.
The Device Group Mapping menu allows you to specify which Policy Groups will be mapped as Dynamic Address Groups for each Device Group in Panorama.
The interface will display the total number of IP addresses being pushed for each Policy Group mapping. After assigning Policy Groups to Device Groups in Panorama, the total number of mapped PGs will appear next to each Device Group (1).
Click Save Changes to confirm. You can then check the Dynamic Address Groups in Panorama for each Device Group and see the Elisity-programmed DAG has been populated.
The naming for each DAG pushed from Cloud Control Center is standardized as:
Elisity_<PG_ID>_policy_group_name
Commit Configuration to Panorama
- Choose Commit to Panorama and Devices (Recommended Default).
- Monitor commit status logs in CCC to confirm success.
- Verify that DAGs appear under Objects > Address Groups in Panorama.
Final Configurations and Validation in Panorama
Configure User-ID Redistribution for DAG Tag Distribution
- Log in to Panorama and navigate to User-ID Redistribution Settings. Enable Redistribute User Mappings to managed firewalls by going to the Management Interface Settings and checking the "User-ID" box in the Network Services settings. Panorama acts as a User-ID Redistribution Point, forwarding DAG tags to managed firewalls.
- Ensure that firewalls are configured to receive IP TAG mappings from Panorama by navigating to the Data Redistribution settings and ensuring that the IP TAGs box is checked for each relevant Firewall.
- Verify DAG tags appear on managed firewalls.
Managing Changes to Policy Group Derived Dynamic Address Groups
Adding New PGs
- Automatically pushed to Panorama when added in Elisity.
- Commit required in Panorama to apply.
Removing PGs
- If PG is still referenced in policies, it will not be deleted from Panorama.
- Administrators will receive a warning before deletion.
Best Practices
- Use dedicated Virtual Edges (VEs) for Panorama to avoid exceeding API session limits.
- Ensure IP-Tag Redistribution is Enabled. Without it, DAG tags will not propagate.
- Review Resource Limits: Panorama/firewall DAG capacities should be monitored.
- Track Commit Logs: Regularly verify commit success/failure in Panorama.
The integration of Elisity with Panorama simplifies firewall management, providing centralized control of DAGs across multiple firewalls. By leveraging Policy Groups, organizations can dynamically enforce segmentation policies across the enterprise while ensuring security consistency and automation.