Why some unused address objects are still pushed to the Firewall ?

Why some unused address objects are still pushed to the Firewall ?

480
Created On 07/08/25 03:12 AM - Last Modified 09/06/25 02:53 AM


Question


Why some unused address objects are still pushed to the Firewall even though they are not part of any policy ?

Environment


  • Panorama 
  • Firewall
  • Supported PAN-OS 

Answer


When address objects in Panorama are associated with specific tags, and those tags are used as criteria within a Dynamic Address Group (DAG), then any security policy that references that DAG will automatically include all the address objects currently marked with those specified tags.

 

Additional Information


  1. Assign tags to individual IP addresses or address objects.

  2. You create a "Dynamic Address Group" that says, "Include any address object that has Tag A and Tag B" (or whatever tag combination you define).

  3. When you use this Dynamic Address Group in a security policy, Panorama (and the firewalls it manages) will automatically know to apply that policy to all the IP addresses that currently have the specified tags.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000fxobKAA&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail