What’s Palo Alto Auto Tagging?

Auto-tagging in Palo Alto Networks firewalls is an advanced feature that enables the firewall to automatically assign tags to IP addresses or objects, depending on security events or conditions, without any manual input. These tags can subsequently be utilized for dynamic enforcement of security policies.

In simpler terms, this feature makes it easy to gather any source IPs from outside linked to malicious activities into a Dynamic Address Group (DAG) based on the security events you select.

Here is an example:

I created an automated tag that allows me to ban any IP that scans or attempts to exploit vulnerabilities in my server or any services I run on the Internet. I’ve configured my log profile on the threat as follows.

• If the severity is Critical, tag it.
• If the severity is High, tag it.
• If the severity is Medium, tag it.

Explanation of this image above.

• The three malicious users are using different attacks to infiltrate the web server.
• The firewall inspects the traffic, knows the attacker’s signatures, and triggers an event.
• The source IP is seen in the traffic logs.
• On the threat logs, the events are seen as follows (Critical, High, and Medium).
• Under the log profile, there’s a built-in action with a Tag named “threat”
• There’s a dynamic address group configured with the name of the tag.
• A security policy is created to deny any source coming from the DAG to any dest.
• Now, the DAG has a list of banned addresses.

Here is an illustration

Event Logs

Security Policy

Offenders IPs (The beauty).

How Auto-Tagging Works:

• A trigger event happens, such as detecting a threat.
• The firewall or Panorama automatically assigns a predefined tag.
• That tag is added to a dynamic address group (DAG).
• The DAG is used in a security policy to allow, block, or quarantine the traffic related to that tagged IP.
• The tag can be automatically removed after a specified time (timeout).
• It can get more advanced.

Pros of Auto-Tagging

• Dynamic Policy Enforcement: responds to events by updating security policies.
• Reduces Manual Work: Automatically tags IPs or users with no constant admin intervention
• Scales Well: This can be used in large environments.
• Lastly, it enhances the zero-trust posture.

Cons of Auto-Tagging

• Complexity in Setup: Sadly, it is not easy to implement. Requires well-thought-out policies.
• Risk of False Positives: Poorly configured log filters or thresholds may tag legitimate users or IPs.
• Tag Sprawl: Bad management hygiene could clutter the system.
• Limited to IP-Based Tagging: Dynamic Address Groups have a limit when it comes to tagging ips.

I hope this information has been informative and helps you better understand how to strengthen your cybersecurity posture regarding Palo Alto Auto-Tagging.

Cheers,