DAG members are not populated on Panorama dynamically registering IP addresses using XML API

DAG members are not populated on Panorama dynamically registering IP addresses using XML API

2686
Created On 10/21/22 13:19 PM - Last Modified 05/31/25 03:30 AM


Symptom


  • dynamic address group (DAG) members are not populated on Panorama if IP addresses, and associated tags were dynamically registered using XML API

    Panorama GUI

Panorama DAG Group missing

​​​​​​Panorama CLI
<Panorama> show object dynamic-address-group all

<response status="success"><result>Dynamic address groups in shared:
---------------------------------------------
</entry>Dynamic address groups in device group <device_group_name>:
---------------------------------------------
        address group name:DAG
                filter: 'Tag1' 

O: address object; R: registered ip; D: dynamic group; S: static group
</result></response>
  • Checking Firewalls, you can see IP Addresses in the same DAGs.

Environment


  • Panorama on PAN-OS 10.2
  • Kubernetes Plugin 3.0.2
  • IP addresses and associated tags are dynamically registered using XML API
  • DAGs are configured from panorama and pushed to the Firewalls

Cause


Shared DAG Support, and Nested DAG Support are introduced on Kubernetes Plugin 4.0

However, the list of IP-Tag mappings, including XML API sourced, can be displayed under Panorama using:  
> show object registered-ip all

Resolution


Update Kubernetes Plugin to 4.0

Panorama Kubernetes Plugin

Additional Information


This applies only to Panorama appliances when dynamically registering IP addresses using XML API (does not include plugin learned mappings).
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kEewCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail