Metadata-Based Policy Enforcement Overview

Traditionally, firewall policies are created using source and destination address objects. These objects are usually addresses or address groups. To create a firewall policy, you must know the IP address or range of IP addresses you want to target.

The introduction of metadata enables you to appropriately tag these addresses. You can use these metadata tags when you create the firewall policy.

The metadata-based policy enforcement involves the following steps:

  1. Metadata definition—Define the metadata key values you want to use. For example, Location = Bangalore; Sunnyvale, OS = Windows, Mac, Linux; Role = Database, application, Web.

  2. Metadata association—Associate the defined metadata with the addresses of type host or range.

  3. Metadata expressions evaluation—When you create a rule for a firewall policy, you choose the source and destination addresses based on metadata expressions, instead of IP addresses, address groups, or network ranges.

Benefits of Metadata-Based Policies