Dynamic attributes rule conditions
A dynamic attributes rule condition is a DNS rule matching mechanism that
-
uses dynamic objects containing IP addresses or endpoint device type objects for source or destination matching,
-
uses Security Group Tag (SGT) objects containing manually defined tags or ISE-defined tags for source-only matching, and
-
applies logical operations where objects of the same type are ORed together and objects of different types are ANDed together.
Dynamic attributes configuration and behavior
You can use these types of dynamic attributes to match connections in DNS rules:
-
(Source or destination.) Dynamic objects, which contain IP addresses. Endpoint device type objects are source only. For more information, see Dynamic Objects and the chapter on Dynamic Attributes Connector.
-
(Source only.) Security Group Tag (SGT) objects, which contain tags either manually defined or defined through ISE. For more information, see Source and destination security group tag (SGT) matching and Security Group Tag.
When you configure dynamic attributes for a DNS rule, objects of the same type in the same source or destination list are ORed together and objects of different types are ANDed together. For example, if you select both a security group tag, and a dynamic object that lists IP addresses, the rule matches if traffic with the tag originates from (or is destined to) one of those IP addresses.
Initially, all Dynamic Objects and Security Group Tags are listed when you open the Dynamic Attributes tab. You can deselect an option to remove those objects from the list. You can also start typing in the search box to find the object you want.