Palo Alto Networks Panorama Integration - Policy Group Derived Dynamic Address Groups (DAG)

Taylor Colwell

Dynamic Address Groups (DAGs) are essential for Palo Alto Networks policy management, allowing firewall rules to dynamically adapt to changes in network conditions. Elisity's integration now supports Panorama, providing centralized management of DAGs across multiple Palo Alto Networks firewalls.

Key Benefits of Panorama Integration

Centralized Security Management: Instead of configuring individual firewalls, Panorama acts as a single control plane, ensuring consistency.
Automated Security Updates: DAGs dynamically update based on Policy Groups (PGs) defined in the Elisity platform.
Scalability & Efficiency: Synchronization to all firewalls from Panorama eliminates manual configuration effort.
High Availability Support: Support for Panorama HA mode with automatic switchover for DAG syncronization.

Integration Workflow

Policy Groups in Elisity: Devices, users, and endpoints are assigned to PGs based on identity and behavior.
Mapping to DAGs: PGs are converted into DAGs and published to Panorama.
Panorama Polling for Device Groups: Instead of pushing DAGs directly to a predefined Shared Device Group, Elisity queries Panorama for all Device Groups under 'Shared'.
DAG Synchronization: Retrieved Device Groups are updated with DAG entries to ensure all managed firewalls receive the correct data.
Tag Distribution: DAGs require IP-TAG redistribution for their values to be recognized and applied on managed firewalls.
Firewall Policy Enforcement: DAGs in Panorama are referenced in security policies for automated enforcement.

Prerequisites

Before proceeding, ensure the following prerequisites are handled:

Panorama Configuration
- Enable DAGs within Panorama.
- Ensure Panorama is configured to manage the intended firewalls.
- Configure User-ID Redistribution to allow tag propagation to firewalls.
- For security rule visibility Elisity requires creating a common username in Panorama (matching the username used to onboard the Panorama VEN) to be pushed to the different firewalls.
- Firewalls with separate API keys / usernames than the one used to manage Panorama are not supported
Firewall Configuration
- DAGs will not show any entries under Objects -> Address Groups until they are referenced in a Security Policy.
- Verify IP-Tag Redistribution settings to enable DAG updates.
API Access & Credentials
- Dedicated Panorama admin user with API permissions.
- Generate an API key for Elisity integration.
- For security rule visibility Elisity requires creating a common username/password in Panorama's device groups (matching the username used to onboard the Panorama VEN) to be pushed to the firewalls.

Rule Visibility is supported by directly adding Elisity-created Dynamic Address Groups to Security Policy Rules. The nesting of Elisity-created Dynamic Address Groups inside another Dynamic Address Group is not supported for rule visibility.

Creating Dedicated User Credentials

Create a unique user account on the firewall for Elisity’s Virtual Edge (VE) nodes to use for API communication.

The account should have:
Superuser permissions: Required for full API functionality.
XML API access: To allow DAG updates and configuration commits.

Avoid sharing credentials with other services or administrators to maintain security and reduce conflicts.

Management Profile Setup

Configure the firewall’s management interface to allow HTTPS communication from the VE IPs. Ensure the appropriate IP addresses for the VE nodes are whitelisted under the firewall’s permitted IP settings.

Generate an API Key

Use the dedicated user credentials to generate an API key. This key will authenticate the Elisity platform’s requests to the firewall.

API key generation can be done via the Palo Alto Networks CLI or web interface.

With the username and password for the account to be used by the VEs, log into the firewall to retrieve the API in the following manner/url, changing the relevant information as needed:

Firewall IP Address
Username (shown in example as veusername)
Password (shown in example as vepassword)

https://<FIREWALL_IP>/api/?type=keygen&user=<USERNAME>&password=<PASSWORD>

example:
https://192.168.1.1/api/?type=keygen&user=veusername&password=vepassword

If correct, you should see something similar to the following:

 <response status="success">
     <result>
       <key>
         LUFRPT1LSXduVStJanRobnU5eVl2K3c1TFNhZEFZSUE9aFVmWTRZRXBiMUxlMmpiRGxrb1BxT2VGcTY5aGxYOS8rWnZDMlVLMVArRFpMTERuRnlKYlI4eU4zUElheDRLVw==
       </key>
     </result>
 </response>

Onboarding Panorama in Cloud Control Center (CCC)

Step 1: Create a Firewall Integration VE Group

Navigate to Virtual Edges and create a VE group dedicated for Panorama integration.

See our Virtual Edge Groups and Virtual Edge Deployment articles for steps on how create VE Groups and Virtual Edges.

Step 2: Deploy Panorama as a Virtual Edge Node

Add a Virtual Edge Node to the previously created Virtual Edge Group using the Virtual Edge Node Wizard.
Select the Firewall Integration workflow in CCC. Choose Panorama for the integration type.
If using Panorama High Availability (HA) mode, select the High Availability toggle.
Provide the following information for each firewall:
- Firewall IP Address: Enter the management IP of the Firewall/Panorama instance, or the Primary and Backup IP addresses of Panorama if using High Availability mode.
- Username: Enter the username of the superadmin account that will be used on the firewall.
- API Key*: Paste the API key generated using the dedicated firewall user credentials.
- Description (optional): Provide a few words as a description to help identify the VEN.
* Generating the API key can be performed by following Palo Alto Networks documentation or by using the following URL:

https://<FIREWALL_IP>/api/?type=keygen&user=<USERNAME>&password=<PASSWORD>

Replace <FIREWALL_IP>, <USERNAME>, and <PASSWORD> with the appropriate values.

You will be redirected to a web page with the API Key, where you can copy and paste as seen here:

Note: The prerequisites section shows how to find the API Key for Panorama, as well as the requirements for the Admin Account.
Review your configurations in the Summary page and click Finish.

You will see a prompt that the Virtual Edge Node was successfully added. You can now proceed to adding Policy Group Mappings (covered in the next section).

After successfully onboarding your Panorama instance, you can see the status of the deployment in the Virtual Edge Node details view. Note that the currently active Panorama instance is indicated by a green dot.

Assigning Policy Groups as DAGs in Cloud Control Center

Elisity's integration with Panorama polls Panorama for Device Groups and allows Administrators in Cloud Control Center to selectively distribute Policy Groups to Device Groups in Panorama. Each Device Group in Panorama can have indepedent collections of Policy Group mappings, enabling flexible and precise control of how DAGs are populated. The process is as follows:

Elisity Polls Panorama for Device Groups

CCC retrieves all Device Groups under 'Shared' from Panorama.
These device groups are populated in Cloud Control Center in the details view of the Panorama VEN.

Add Policy Groups to be mapped to DAGs

By default, no Policy Groups are sent. You must select which PGs you want to publish as DAGs within each Device Group by selecting the group on the left hand side and clicking + Add POLICY GROUPS in the top right.

The Device Group Mapping menu allows you to specify which Policy Groups will be mapped as Dynamic Address Groups for each Device Group in Panorama.

The interface will display the total number of IP addresses being pushed for each Policy Group mapping. After assigning Policy Groups to Device Groups in Panorama, the total number of mapped PGs will appear next to each Device Group (1).

Note: Be sure not to exceed the limitations of the platform where you are pushing entries (ie. 5000 entries for select Palo Alto Networks Firewalls)

Click Save Changes to confirm. You can then check the Dynamic Address Groups in Panorama for each Device Group and see the Elisity-programmed DAG has been populated.

The naming for each DAG pushed from Cloud Control Center is standardized as:
Elisity_<PG_ID>_policy_group_name

Commit Configuration to Panorama

Choose Commit to Panorama and Devices (Recommended Default).
Monitor commit status logs in CCC to confirm success.
Verify that DAGs appear under Objects > Address Groups in Panorama.

Final Configurations and Validation in Panorama

Configure User-ID Redistribution for DAG Tag Distribution

Log in to Panorama and navigate to User-ID Redistribution Settings. Enable Redistribute User Mappings to managed firewalls by going to the Management Interface Settings and checking the "User-ID" box in the Network Services settings. Panorama acts as a User-ID Redistribution Point, forwarding DAG tags to managed firewalls.
Ensure that firewalls are configured to receive IP TAG mappings from Panorama by navigating to the Data Redistribution settings and ensuring that the IP TAGs box is checked for each relevant Firewall.
Verify DAG tags appear on managed firewalls.

Managing Changes to Policy Group Derived Dynamic Address Groups

Adding New PGs

Automatically pushed to Panorama when added in Elisity.
Commit required in Panorama to apply.

Removing PGs

If PG is still referenced in policies, it will not be deleted from Panorama.
Administrators will receive a warning before deletion.

Best Practices

Use dedicated Virtual Edges (VEs) for Panorama to avoid exceeding API session limits.
Ensure IP-Tag Redistribution is Enabled. Without it, DAG tags will not propagate.
Review Resource Limits: Panorama/firewall DAG capacities should be monitored.
Track Commit Logs: Regularly verify commit success/failure in Panorama.

Policy Group Usage Visibility in Palo Alto Security Rules

When Policy Groups are published to Palo Alto Networks firewalls as Dynamic Address Groups (DAGs), their usage within firewall security rules can be viewed directly from the associated Virtual Edge Node (VEN) in Cloud Control Center.

Reminder: Rule Visibility is supported by directly adding Elisity-created Dynamic Address Groups to Security Policy Rules. The nesting of Elisity-created Dynamic Address Groups inside another Dynamic Address Group is not supported for rule visibility.

For direct firewall integrations, the left panel displays the Policy Groups assigned to the VEN. The security rules table lists all rules on the associated firewall that reference those DAGs. Each row includes a timestamp indicating when the rules were last retrieved. Rules no longer present on the firewall are automatically removed during the next update cycle.

In Panorama-managed environments, Policy Groups are shown grouped under their assigned Device Groups. The corresponding firewalls and their security rules are displayed per device group. Rules that reference multiple DAGs (e.g., in both source and destination fields) are displayed under each relevant Policy Group for clarity. The left panel supports expandable views per device group, and all columns in the rules table support standard filtering, global search, and list-style expansion for multi-value fields.

Firewall rules are refreshed at a configurable interval, and the most recent update time is shown in the "Last Update" column. This ensures administrators have a current view of how identity-driven segmentation policies are enforced within the firewall infrastructure.

Note: Visibility from the VEN view is currently supported. Viewing policy group usage across all firewalls from the Policy Group details page is not yet available.