Using Traffic Logs to Build Dynamic Address Groups (DAGs) in PANW NGFW

Security teams are often reactive by nature alerts trigger responses, incidents trigger investigations. But buried in plain sight is an underutilized asset that can shift teams toward proactive defense: firewall traffic logs.

Palo Alto Networks Next-generation firewalls (NGFWs) continuously capture metadata-rich traffic logs that contain a goldmine of actionable intelligence. By leveraging this data, organizations can create Dynamic Address Groups (DAGs) that evolve in near-real-time to block malicious actors, prioritize investigations, and enforce security policies with precision.

What Is a Dynamic Address Group?

A Dynamic Address Group allows an NGFW to automatically populate IP addresses based on matching criteria, such as tags or external inputs. Instead of managing static lists manually, security teams can define logic that lets the firewall do the work, keeping policies relevant and responsive.

Use Case 1: Blocking Attackers Identified from Traffic Logs

Let's say your firewall is detecting repeated inbound SSH connection attempts from a variety of IPs not associated with any known business function. Rather than play whack-a-mole with manual block entries, you can use traffic log data to build an automated workflow:

1. Monitor Traffic Logs for failed SSH attempts or unexpected service probes.

2. Using a Log Forwarding profile, you can auto tag the source IP.

3. The Dynamic Address Group also uses the same tag, thus creating a dynamic membership.

4. Apply a Block Policy to the DAG in your security rulebase.

Result? Any IP flagged by traffic patterns can be blocked within seconds, without human intervention.

Use Case 2: Flagging Suspicious Internal Activity

Not all threats come from the outside. Internal hosts making outbound connections to known malicious domains, or initiating unexpected lateral movement, can be flagged using the same DAG approach.

• Behavioral tags can be applied to internal IPs that match predefined conditions.

• DAGs then dynamically reflect these "high-risk" internal hosts.

• Additional policies can restrict these hosts to minimal network access while alerts are triaged.

Use Case 3: Segmentation Enforcement Based on Role or Risk

Firewalls often operate in hybrid environments, where IP addresses can be ephemeral. Dynamic Address Groups provide a clean solution for enforcing segmentation policies without relying on static IP assignments:

• Cloud workloads can register tags with the NGFW via API.

• Policies reference these tags via DAGs, not hardcoded addresses.

• As workloads spin up or down, policies remain current.
  

This is especially powerful in DevOps or containerized environments where agility and control must coexist.

Use Case 4: Auto-Populating Watchlists

Traffic logs can be filtered for:

• Volume anomalies (e.g., data exfiltration)

• Application misuse (e.g., corporate users tunneling over DNS)

• Unexpected destinations (e.g., first-time connections to IPs in unusual regions)
  

IP addresses observed in these patterns can be added to a watchlist DAG, not immediately blocked, but flagged for visibility and potential escalation.

Dynamic Address Groups are more than just a convenience feature, they are a bridge between detection and response. When paired with automation and enriched traffic data, they allow organizations to evolve from passive logging to intelligent enforcement.

If you're sitting on traffic logs and not leveraging DAGs, you're letting opportunity slip through the firewall.