>
    Strata Copilot
    Create Dynamic Address Group Membership Criteria
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Firewall on VMware NSX-T
    4. Deploy the VM-Series Using the Security-Centric Workflow
    5. Create Dynamic Address Group Membership Criteria
    Download PDF
    VM-Series

    Create Dynamic Address Group Membership Criteria

    Table of Contents

    Create Dynamic Address Group Membership Criteria

    Learn how to create Dynamic Address Group Membership Criteria.
    Where Can I Use This?What Do I Need?
    • VMware NSX
    • VM-Series Firewall License (BYOL)
    • Panorama
    • VM-Series plugin
    • Panorama plugin for NSX
    In NSX-T, you can configure the membership criteria for your virtual machines and IP set belonging to an NSX-T security group (Dynamic Address Group) in the Panorama plugin for NSX. For each Dynamic Address Group, you must specify a service definition and define up to five match criteria and each criterion includes up to five match rules.
    You create this membership criteria on the plugin and then push it to NSX-T Manager. However, this does not apply the membership criteria to guest virtual machines in your deployment. Define and apply membership data, such as tags, to your guest VMs in NSX-T Manager.
    The rules that the Panorama plugin for NSX-T identifies and classifies virtual machines based on two membership types—virtual machine or IP set. The keys and operators usable with each member type are listed in the table below.
    Member TypeKeyOperator
    IP Set
    Tag
    Equals
    Virtual Machine
    • Tag
    • Name
    • OS Name
    • Computer Name
    • Equals
    • Contains
    • Starts With
    • Ends With
    • Not Equals (Not applicable with Tag key)
    Membership criteria changes should be made only on Panorama; do not make changes on NSX-T Manager. If you make changes on NSX-T Manager, the Panorama plugin for VMware NSX shows the service definition as out-of-sync. Click on the Out-of-Sync link to see the specific reason for the out-of-sync status. If a membership criteria change is the cause, perform a configuration sync by clicking NSX-T Config-Sync.
    1. Select PanoramaVMwareNSX-TMembership CriteriaAdd.
      To add or modify membership criteria for a service definition, with at least one Dynamic Address Group, you can click on the service definition name instead of clicking Add.
    2. From the Name, select a service definition for the Membership Criteria. The selected service definition must have East_West insertion type and used as part of a security-centric deployment.
    3. Click Add to specify a dynamic address group.
    4. Select a Dynamic Address Group from the drop-down. The drop-down lists the Dynamic Address Groups associated with the specified service definition.
      The plugin UI displays dynamic and static address groups configured on Panorama. Take care not accidently select a static address group when configuring membership criteria.
    5. Click Add to define the criteria associated with the chosen dynamic address group.
    6. Enter a descriptive name for the Criteria.
    7. Click Add to define a rule.
    8. Define a rule. You can create up to five rules.
      1. Enter a descriptive name for the rule.
      2. Select the Member Type—Virtual Machine or IP Set.
      3. Select the Key—Tag, Name, OS Name, Computer Name.
      4. Select the Operator—Equals, Contains, Starts With, Ends With, Not Equals.
      5. Enter the Value.
        If the Key is set to Tag, the Value is the Tag. The plugin user interface does not list the Tags, so you must use the Panorama CLI (with NSX-T Manager 3.0.0. and later).
        request plugins vmware_nsx nsx_t nsxt-tags service-definition <SD_name>
      6. (Optional) Enter the Scope. Scope is applicable only with the key Tag. Scope is an optional value applied to an object tag in NSX-T. The scope is defined on NSX-T Manager. For example, if you tag virtual machines based on operating system, you can create tags for Windows, Linux, and MacOS and then set the scope of each tag to OS.
        To view the tags and scope, use the Panorama CLI (with NSX-T Manager 3.0.0 and later).
        Execute the following command to view the list of tags.
        request plugins vmware_nsx nsx_t nsxt-tags service-definition <SD_name>
        Execute the following command to view the scope associated with the specified tag.
        request plugins vmware_nsx nsx_t nsxt-scope tag <tag_value> service-definition <SD-name>
      7. Click OK.
      8. (Optional) Click Add to create additional (up to five total) rules.
    9. On the Dynamic Address Group window, click OK to finish or Add to create additional criteria (up to five total) and rules.
    10. On the Membership Criteria window, click OK to finish or Add to specify additional Dynamic Address Groups .

    © 2026 Palo Alto Networks, Inc. All rights reserved.