When designing your device group hierarchy, consider your functional or regional needs and understand the difference between pre-rules and post-rules.

For example, create any Security pre-rules that you want managed firewalls to apply without exception while creating Security post-rules to act as a cleanup for any traffic that did not match a Security pre-rule.

Avoid overuse of the Shared device group so you do not exceed the capacity limits for smaller managed firewalls. Managing configuration objects at the appropriate device group level helps minimize the number of Out of Sync firewalls more efficiently because all firewalls become Out of Sync if a single shared configuration object is modified.

Configure custom regions by using custom address objects to specify address ranges or geolocations.

While enterprises use the RFC 1918 address space, policies governing the entire 10.0.0x network are not helpful. Instead define custom regions by using custom address objects to specify address ranges or geolocations. This allows you to create more granular and relevant policies to reduce your attack surface.

Configure the Master Device for each device group to enable Panorama to gather user group mappings. Having a Master Device configured in the device group makes user groups available when creating policy rules. Additionally, you can filter the ACC and Monitor tabs using the user group mappings gathered by Panorama.

Associate Reference Templates to refer to network configuration objects contained in a template that the managed firewall does not belong to in order to complete a security configuration. This allows you to take full advantage of common configuration objects across device groups and templates without overuse of the Shared device group or recreating the identical network configuration objects.