PCNSE - Panorama Device Groups
'Shared' Device group - ANS - Exists outside of the device group hierarchy... Policies and
objects created in the 'shared' group are inherited by all of the other device groups
\Default rules - ANS - selected under device group to view the default behavior of intrazone and
interzone traffic on the firewalls within the DG
\Device Group inheritance - ANS - - lower level groups (descendants) inherit settings of higher
level groups (ancestors)
- Objects inherited from ancestors can be overridden locally
- In case of duplicate settings in a device group, the lower level overrides the setting in the
higher level group
\Maximum device groups allowed (Pan-OS 8.1+) - ANS - 1,024
\Maximum level of device groups - ANS - 4
\Override Inherited Object Values - ANS - * Objects in shared scope can never be overridden
* local firewall admins cannot override device group objects (only panorama admins can)
\Policies and zones - ANS - Zone names defined in Panorama must match zones defined on
managed firewalls; otherwise a commit error will ensue (using templates or define the zone
manually)
\Policy Rule Targets - ANS - Found in the "Target" tab when creating a new policy rule, allows
you to specify specific firewalls within the device group that you wish the policy to be applied
\Policy Rule Usage Indicators - ANS - Used: when all firewalls in the device group have traffic
policy matches for the rule
Partially Used: when some of the firewalls in the DG have traffic matches
Unused: when no firewalls in the DG have traffic matches for the policy rule
\Policy Rules Hierarchy - ANS - Evaluated top - down
1. Pre-rules (panorama)
2. Local policy rules (local device)
3. Post-rules
(Panorama)
Pre/post rules = read only by local fw admin
\Preview Rules - ANS - allows you to view the resulting rulebase when the panorama rules are
merged with the local firewall policies
\Reference Templates - ANS - Starting in Pan-OS 9.0, admins can define reference templates to
use when creating device groups that don't have firewalls assigned in the beginning. Security
zone info can be pulled from reference templates when defining policies.
\Requirements for Policy Rules - ANS - Policy Rulebase settings on panorama setup, allows
admin to enforce certain fields to be filled out (such as audit comments and tags)
'Shared' Device group - ANS - Exists outside of the device group hierarchy... Policies and
objects created in the 'shared' group are inherited by all of the other device groups
\Default rules - ANS - selected under device group to view the default behavior of intrazone and
interzone traffic on the firewalls within the DG
\Device Group inheritance - ANS - - lower level groups (descendants) inherit settings of higher
level groups (ancestors)
- Objects inherited from ancestors can be overridden locally
- In case of duplicate settings in a device group, the lower level overrides the setting in the
higher level group
\Maximum device groups allowed (Pan-OS 8.1+) - ANS - 1,024
\Maximum level of device groups - ANS - 4
\Override Inherited Object Values - ANS - * Objects in shared scope can never be overridden
* local firewall admins cannot override device group objects (only panorama admins can)
\Policies and zones - ANS - Zone names defined in Panorama must match zones defined on
managed firewalls; otherwise a commit error will ensue (using templates or define the zone
manually)
\Policy Rule Targets - ANS - Found in the "Target" tab when creating a new policy rule, allows
you to specify specific firewalls within the device group that you wish the policy to be applied
\Policy Rule Usage Indicators - ANS - Used: when all firewalls in the device group have traffic
policy matches for the rule
Partially Used: when some of the firewalls in the DG have traffic matches
Unused: when no firewalls in the DG have traffic matches for the policy rule
\Policy Rules Hierarchy - ANS - Evaluated top - down
1. Pre-rules (panorama)
2. Local policy rules (local device)
3. Post-rules
(Panorama)
Pre/post rules = read only by local fw admin
\Preview Rules - ANS - allows you to view the resulting rulebase when the panorama rules are
merged with the local firewall policies
\Reference Templates - ANS - Starting in Pan-OS 9.0, admins can define reference templates to
use when creating device groups that don't have firewalls assigned in the beginning. Security
zone info can be pulled from reference templates when defining policies.
\Requirements for Policy Rules - ANS - Policy Rulebase settings on panorama setup, allows
admin to enforce certain fields to be filled out (such as audit comments and tags)
