PAN-OS Operations Threat Prevention Dynamic Address Groups Log Forwarding / Tagging

From Log to Block: Auto-Blocking External Threat Sources with PAN-OS

A production pattern: use log forwarding filters to tag external source IPs on meaningful denied threats, feed those tags into a Dynamic Address Group, and enforce a high-priority global block rule.

The problem

Internet-facing services attract constant hostile traffic. Even when traffic is denied, repeat offenders can create a huge amount of noise and overhead: repeated sessions, repeated inspection, repeated log volume, and reduced visibility for higher-value events.

Goal: If an external source IP triggers a meaningful denied threat (medium/high), it should be blocked everywhere automatically—without external tooling and without manual list maintenance.

The design pattern

Threat log forwarding filter matches denied medium/high threat events from the outside.
Tagging action applies a tag to the source address at log time.
Dynamic Address Group matches any IP with that tag.
High-priority security policy drops traffic from that DAG to anything.

1) Log forwarding filter (Threat logs)

Create a log forwarding profile match list for Log Type: threat and filter for events that represent real, actionable abuse:

Source zone = outside / untrusted
Action = denied / dropped (based on your logging model)
Severity = medium/high (tune for your environment)
Exclude known infrastructure and expected traffic patterns

2) Tag the source IP (built-in tagging action)

The built-in action tags the Source Address (not a user, not a destination). This closes the loop: the firewall observes the event and immediately converts it into an enforcement input.

Note: Tag lifetime/expiration is environment-specific. Some teams use timeouts; others clear tags operationally.

3) Dynamic Address Group (DAG)

Define a Dynamic Address Group that matches on the tag name. As soon as the firewall registers the tag, that IP becomes a member of the DAG—no commits or external refresh.

4) High-priority block rule

Place a high-priority security rule near the top of the rulebase:

Source zone: outside / untrusted
Source address: DAG_Outside_Threats (your name)
Destination: any
Application/Service: any
Action: drop

What this buys you

Noise reduction: repeat offenders stop generating meaningful churn after the first hit.
Performance protection: known-bad sources get dropped early, reducing repeated inspection overhead.
Self-updating enforcement: no manual lists, no external EDL hosting, no scripts required.
Environment-aware blocking: you block what actually attacks you.

Guardrails

Exclusions matter. Don’t tag your own infrastructure, trusted scanners, or known third-party services.
Severity threshold matters. Medium+ works well in many environments, but tune aggressively.
Tag lifecycle matters. Decide whether tags age out or are cleared manually.
Placement matters. Keep the block rule high so it acts as an early “containment gate.”

This post describes an operational pattern (the “how to think”). Implementation details are intentionally generalized and should be tested safely in your environment.