Dynamic Attributes Rule Conditions

You can use the following types of dynamic attributes to match connections in DNS rules:

• (Source or destination.) Dynamic objects, which contain IP addresses. Endpoint device type objects are source only. For more information, see Dynamic Objects and the chapter on Dynamic Attributes Connector.

• (Source only.) Security Group Tag (SGT) objects, which contain tags either manually defined or defined through ISE. For more information, see Source and destination Security Group Tag (SGT)matching and Security Group Tag.

When you configure dynamic attributes for a DNS rule, objects of the same type in the same source or destination list are ORed together and objects of different types are ANDed together. For example, if you select both a security group tag, and a dynamic object that lists IP addresses, the rule matches if traffic with the tag originates from (or is destined to) one of those IP addresses.

Initially, all Dynamic Objects and Security Group Tags are listed when you open the Dynamic Attributes tab. You can deselect an option to remove those objects from the list. You can also start typing in the search box to find the object you want.