Members of Dynamic Address/Service Group not pushed to firewall when Dynamic Group is nested in another group

Members of Dynamic Address/Service Group not pushed to firewall when Dynamic Group is nested in another group

623
Created On 10/16/24 09:10 AM - Last Modified 10/28/25 13:36 PM


Symptom


Dynamic Address/Service Group is generated on Panorama using tags. Dynamic Address Group is nested in another Address/Service Group and not referenced in the Security Policy directly.

Traffic is getting unexpectedly dropped on the firewall. On closer inspection not all members of Dynamic Address Group has been pushed from Panorama to Firewall

  • DAG on Panorama: 
    admin@panorama-01> show object dynamic-address-group all

---------------------------------------------
Dynamic address groups in device group PA-VM1:
---------------------------------------------
        address group name:DAG
                filter: 'Dynamic'
                        Test1 (O)
                        Test2 (O)
                        Test3 (O)
  • DAG on Firewall, object Test1 is present as it is referenced directly in different security rule: 
    admin@lab-fwl-01(active-primary)> show object dynamic-address-group name DAG


Dynamic address groups in vsys vsys1:
----------------------------------------------------

----------------defined in vsys --------------------
        DAG
                filter: 'Dynamic'
                        Test1 (O)

                members: total 1


Environment


  • Panorama 
  • Dynamic Address Group (DAG) Objects that use tags to dynamically populate the DAGs
  • The DAG is nested in another Address Group and not referenced directly in Policy
  • Share Unused Address and Service Objects with Devices  is disabled/unchecked
  • Firewall assigned properly to Device Group, with policy pushed from Panorama

Cause


Issue is caused by limitation in PAN-OS, where members of a nested Dynamic Address Groups that aren't referenced directly by policy or used by other Address Groups, aren't marked as used when determining what objects to push to the firewall. The problem is not present when "Share Unused Address and Service Objects with Devices" is enabled on Panorama.

Resolution


Issue can be resolved by modifying security policy to directly reference the Dynamic Address Group.

  1. Original Policy using nested objects: Dynamic Address Group "DAG" is nested inside "Nested Group"
  2. Corrected Policy:
  3. All members present on the firewall after push: 
    admin@lab-fwl-01(active-primary)> show object dynamic-address-group name DAG


Dynamic address groups in vsys vsys1:
----------------------------------------------------

----------------defined in vsys --------------------
        DAG
                filter: 'Dynamic'
                        Test1 (O)
                        Test2 (O)
                        Test3 (O)

                members: total 3


Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000PQiMCAW&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail