Best practices for managing the security configuration
of your managed firewalls using device groups from the Panorama™
management server.
Device groups provide
a way to organize and reuse your
policies by applying the
principle of inheritance and
implementing a well defined
device group hierarchy. While
Panorama enables you to reuse the same device group configuration
across multiple device groups in a hierarchy, you can also customize
any local configurations to override any inherited configuration.
For example, create any Security pre-rules
that you want managed firewalls to apply without exception while
creating Security post-rules to act as a cleanup for any traffic
that did not match a Security pre-rule.
Avoid overuse of the
Shared device
group so you do not exceed the capacity limits for smaller managed
firewalls. Managing configuration
objects at the appropriate
device group level helps minimize the number of
Out of Sync firewalls
more efficiently because all firewalls become
Out of Sync if
a single shared configuration object is modified.
Configure custom regions by using custom
address objects to specify
address ranges or geolocations.
While enterprises use the
RFC 1918 address space, policies governing the entire 10.0.0x network
are not helpful. Instead define custom regions by using custom address
objects to specify address ranges or geolocations. This allows you
to create more granular and relevant policies to reduce your attack
surface.
Configure the
Master Device for each
device group to enable Panorama to gather
user group mappings. Having
a Master Device configured in the device group makes user groups
available when creating policy rules. Additionally, you can filter
the
ACC and
Monitor tabs using the
user group mappings gathered by Panorama.
Associate Reference Templates to refer
to network configuration objects contained in a template that the
managed firewall does not belong to in order to complete a security
configuration. This allows you to take full advantage of common
configuration objects across device groups and templates without overuse
of the Shared device group or recreating
the identical network configuration objects.