Palo Alto Networks Knowledgebase: How to Configure Color Coded Tags
How to Configure Color Coded Tags
Created On 02/07/19 23:54 PM - Last Updated 02/07/19 23:55 PM
Zone and DoS Protection
PAN-OS 6.0 and after
Color Coded Tags was introduced in PAN-OS 6.0 and enables the categorization of many types of objects to be visually distinguishable. Administrators can easily determine if their policy was created correctly by scanning a policy and confirming that the color coding of their objects follows their desired scheme.
On the Device/Panorama GUI, navigate to the Objects tab. As shown below, the objects tree panel on the left side has a new tree node called "Tags" for color coded tags administration.
A tag objects has three fields:
The Name cannot contain a comma (,) since it is used as a separation character when assigning tags.
The Color value of the tag object can be selected from a color palette of 16 predefined colors. The default value is "None," which is no color.
The selection of a color is not required when creating a tag.
The following objects in the Palo Alto Networks Device/Panorama can be used with the new tag attribute:
Objects > Address
Objects > Address Groups
Objects > Services
Objects > Service Groups
Network > Zones Note: When using Tags and Zones the drop down must be used instead of a generic name because the Tag is not selectable while editing the Zone.
Policies already have tags, but will be leveraged to use the new tag object. The above objects will all have a new tag column in their top level grid. Only the first tag in an object may have color.
During the Add/Edit of any of the above objects the tags attribute can be specified, as shown below:
Tags can be selected from existing tags. Also, tag completion is case-insensitive. If the administrator adds a new tag, it is added as a tag object after "ok." The user can select a tag as the "colored tag" for an object while in the object/rule editor. The "colored tag" is saved as the first tag after "ok."
From policy tables, the user will see rule tags. Only the first tag in a rule may have color.
The following is an example of Security Rulebase with no color tags used:
The following is an example of a Security Rulebase with color tags used for Zones and inside of the objects:
Notice that the use of Color Tags makes the policy much easier to read.
Tag name length is limited to 127 characters.
There are 16 colors only, cannot create custom colors.
Multiple tags can use same color.
If an item has multiple tags with different colors, then first tag color will be displayed. So, order matters.
Config will show in CLI as color# (1-16) (For example, set tag test1 color color4)
Panorama can push tag color configs. If conflicting with the existing tag on the firewall, then the device config should take priority.
Likewise, if there is a conflict between shared and VSYS specific object then VSYS takes precedence.
Configuration logs are generated for add/edit/delete of tag objects and setting of tags to other objects.
Feature Interaction with infrastructure components:
High-availability - Tag configuration will be synced, similar to the other object configurations
Virtual system - Tag administration and tag assignment can be done per VSYS
Panorama - Tag administration and tag assignment is available on Panorama
The specified objects and zones in Network templates will have configuration for tags. The tag configuration will be pushed to the device groups and devices along with the objects and device templates. If it is conflicting with an existing tag on the firewall, then the device config should take priority. In the Network template on Panorama zones can have tags specified, but no completion (drop down) is available. Users can only type tag names.
Tags can belong to VSYS or shared in a device and a device group, or shared in Panorama.