Manualshelf

Specifications

ManualsBrandsCDA ManualsDomestic Appliancesvm200
11121314151617181920
VM-Series Deployment Guide 13
About the VM-Series Firewall Monitor Changes in the Virtual Environment
Use Dynamic Address Groups in Policy
Dynamic address groups allow you to create policy that automatically adapts to changes—adds, moves, or
deletions of servers. It also enables the flexibility to apply different rules to the same server based on its role on
the network or the different kinds of traffic it processes.
Each metadata element or attribute that the firewall tracks in the VMware environment can be tagged with a
value. A dynamic address group uses the tag(s) as a filtering criteria, and matches on the tags(s) to determine its
members. The filter uses a logical and and or operators. Therefore, multiple tags can be applied to each guest to
represent virtual machine attributes such as IP address, operating system, the virtual switch to which it belongs,
for example.
Tags can be defined statically on the firewall and/or registered (dynamically) to the firewall. All entities that have
the tags and match the defined criteria become members of the dynamic group. The difference between static
and dynamic tags is that static tags are part of the configuration on the firewall, and dynamic tags are part of the
runtime configuration. This implies that a commit is not required to update dynamic tags; the tags must however
be used in policy and the policy must be committed on the device.
The IP address and associated tags for an entity can be dynamically registered on the firewall using the XML API
or the VM Monitoring Agent on the firewall; each registered IP address can have up to 32 tags. Within 60
seconds of the API call, the firewall registers the IP address and associated tags, and automatically updates the
membership information for the dynamic address group(s). Because the members of a dynamic address group
are automatically updated, using dynamic address groups in lieu of static address objects, allows you to adapt to
changes in your environment without relying on a system administrator to make policy changes and committing
them on the firewall.
Use the following table to verify the maximum number of IP addresses that can be registered for each model of
firewall:
Step 2 Verify the connection status. 1. Verify that the connection Status displays as connected.
If the connection status is pending or disconnected, verify that
the source is operational and that the firewall is able to access
the source. If you use a port other than the MGT port for
communicating with the monitored source, you must change
the service route (
Device > Setup > Services, click the Service
Route Configuration
link and modify the Source Interface for
the
VM Monitor service).
Platform Maximum number of dynamically registered IP addresses
PA-7050, PA-5060, VM-1000 100,000
PA-5050 50,000
PA-5020 25,000
PA-4000 Series, PA-3000 Series 5000
Set up the VM Monitoring Agent (Continued)