Skip to content

Enhancement of existing options, address objects, security zones and policy rules #317

New issue
New issue
Open
Open
Enhancement of existing options, address objects, security zones and policy rules#317
@npolisetty26

Description

@npolisetty26
npolisetty26
opened on Jul 28, 2025

Hello Team,
I’m currently working with the Nautobot Firewall Models plugin, aiming to sync all Palo Alto firewall security rules into Nautobot, with a long-term goal of achieving full automation based on Nautobot data.
While doing so, I’ve encountered a few challenges and design concerns, and I’d really appreciate your input:
🔹 1. Missing Palo Alto-Specific Fields
Palo Alto firewalls have several key attributes that aren’t currently modeled in the plugin, such as:
Security Profiles
External Dynamic Lists (EDLs)
URL Categories
Log Forwarding Profiles
Decryption profile options
Is there a recommended way to store or sync these attributes into Nautobot (e.g., via custom fields, notes, or extensions)?
Or is there any ongoing work or roadmap to incorporate these Palo Alto-specific fields into the plugin?
or is there any plan for vendor specific plugin creation.?
🔹 2. IP Address / Prefix Handling in IPAM
The plugin seems to automatically associate firewall IPs with Nautobot IPAM objects.
However, this is disrupting our existing IPAM hygiene, as many of the IPs present in firewalls are not managed by us or are external/third-party.
Would it be possible to:
Tag these as non-IPAM managed IPs, or
Have a separate tab or object category (like for FQDNs or IP ranges) to avoid polluting core IPAM data?
🔹 3. Security Zones Across Clusters and Sites
We have many HA firewall clusters (active-active, active-passive) across different sites, and we face these challenges:
Problem 1:
Currently, a Zone can only be assigned to a single device, which makes it impossible to assign the same zone name (e.g., zone_lan) to multiple firewalls in a cluster, even if they share the same function/interface names.
Problem 2:
We follow consistent zone naming conventions across locations (e.g., zone_lan, zone_dmz), but to assign them to different devices, we’re forced to create zone duplicates (e.g., zone_lan_site1, zone_lan_site2), which defeats the purpose of standardization.
Would it be possible or is there any plan to allow:
A single zone to be associated with multiple devices and multiple interfaces, e.g.:
zone_lan →

  • device1 → ethernet1/1
  • device2 → ethernet1/1
  • deviceX → ethernet2/2
    This would significantly improve reusability and alignment with real-world firewall deployments.
    Any recommendations, best practices, or roadmap insights would be very helpful.
    Thanks in advance for your time and support!
    Best regards,
    Narendra Polisetty

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions