Created On 09/25/18 17:36 PM - Last Updated 02/12/20 00:01 AM
Zone and DoS Protection
Color Coded Tags enables the categorization of many types of objects to be visually distinguishable. Administrators can easily determine if their policy was created correctly by scanning a policy and confirming that the color coding of their objects follows their desired scheme.
On the Device/Panorama GUI, navigate to the Objects tab. As shown below, the objects tree panel on the left side has a new tree node called "Tags" for color coded tags administration.
A tag objects has three fields: (Technically 4, but that 4th field is the location which will note if it is "Predefined")
NOTE: The Name cannot contain a comma (,) since it is used as a separation character when assigning tags.
The Color value of the tag object can be selected from a color palette of 41 predefined colors. The default value is "None," which is no color.
The selection of a color is not required when creating a tag.
The following objects in the Palo Alto Networks Device/Panorama can be used with the tag attribute:
Objects > Address
Objects > Address Groups
Objects > Services
Objects > Service Groups
Network > Zones *
* Note: Unlike the Address and Service objects, where you can edit/create the object and then select the predefined tag, with Zones this is not an option. You need to first create the zone and then use the selector for the Name field dropdown to select the name of the Zone this tag is for. Then, this tag will be associated with that Zone. This means that all zones must be defined first before a tag can be created for each one.
During the Add/Edit of any of the above objects the tags attribute can be specified, as shown below:
Tags can be selected from existing tags. Also, tag completion is case-insensitive. If the administrator adds a new tag, it is added as a tag object after hitting "ok". The user can select a tag as the "colored tag" for an object while in the object/rule editor. The "colored tag" is saved as the first tag after hitting "ok".
From policy tables, the user will see rule tags. Only the first tag in a rule may have color.
The following is an example of Security Rulebase with no color tags used:
The following is an example of a Security Rulebase with color tags used for Zones, Address and service fields:
Notice that the use of Color Tags makes the policy much easier to read and manage.
Tag name length is limited to 127 characters.
There are 41 colors only, cannot create custom colors.
Multiple tags can use same color.
If an item has multiple tags with different colors, then first tag color will be displayed. So, order matters.
Config will show in CLI as color# (1-41) (For example, set tag test1 color color4)
Panorama can push tag color configs. If conflicting with the existing tag on the firewall, then the device config should take priority.
Likewise, if there is a conflict between shared and VSYS specific object then VSYS takes precedence.
Configuration logs are generated for add/edit/delete of tag objects and setting of tags to other objects.
Feature Interaction with infrastructure components:
High-availability - Tag configuration will be synced, similar to the other object configurations
Virtual system - Tag administration and tag assignment can be done per VSYS
Panorama - Tag administration and tag assignment is available on Panorama
The specified objects and zones in Network templates will have configuration for tags. The tag configuration will be pushed to the device groups and devices along with the objects and device templates. If it is conflicting with an existing tag on the firewall, then the device config should take priority. In the Network template on Panorama zones can have tags specified, but no completion (drop down) is available. Users can only type tag names.
Tags can belong to VSYS or shared in a device and a device group, or shared in Panorama.