Simplify Security Rules Managed by Panorama

Best practices for simplifying security rules from the Panorama™ management server.
Managing your security policy is one of the most important tasks when managing your policy rulebase.
  • Make your rulebase application-aware by using a combination of the Policy Optimizer and Policy Rule Usage to transition to App-ID and User-ID based security policy rules.
    Create Use Groups in your security policy rules to make them more effective and readable. Additionally, you can leverage the Expedition and Best Practice Asessment (BPA) tools to help iterate through revisions of your rulebase to strengthen your security posture.
  • Leverage Global Find when evaluating your policy rulebase to identify objects or rules that may already exist. This will help reduce unnecessary clutter in your configuration that ultimately slow down commits on Panorama.
  • Troubleshoot your policy rules to test if a proposed policy rule configuration change is already handled by an existing rule that only needs modification. This allows you to reduce any duplicate policy rules and prevent your policy rulebase from growing too large.
  • Use tag based rule groups to identify rule purpose, function, lifecycle or other characteristics to quickly sort and groups like rules together. Tag based rule groups allow you to visually distinguish between sets of rules within a rulebase where they can be managed as a group or you can individually modify a single rule in the group.
  • Enforce audit comments for policy rule creation and modification to support the critical operational function of supporting security audits. A rule with a well-documented series of audit comments makes it easier to respond to an audit request instead of relying on rule descriptions or external tools. Additionally, you can supplement audit comments by entering a description when you commit configuration changes to Panorama.
  • Use dynamic constructs like External Dynamic Lists, Dynamic Address Groups, and Dynamic User Groups to streamline your configuration and simplify maintenance of your security policy rulebase. As your environment changes, you can modify these as necessary without the need to commit.
  • When creating your security policy rule, avoid selecting one or more managed firewalls in the
    tab as it renders the managed firewall configuration synchronization status unreliable.
    This is commonly referred to as policy targeting. Policy targeting is evaluated on the firewall and not on Panorama. As a result, managed firewalls that a policy rule is not pushed to may erroneously display as
    Out of Sync
    . Design your device group hierarchy to minimize or avoid the need to target policies.

Recommended For You