Manage Your Device Group Configurations on Panorama

Best practices for managing the security configuration of your managed firewalls using device groups from the Panorama™ management server.
Device groups provide a way to organize and reuse your policies by applying the principle of inheritance and implementing a well defined device group hierarchy. While Panorama enables you to reuse the same device group configuration across multiple device groups in a hierarchy, you can also customize any local configurations to override any inherited configuration.
  • When designing your device group hierarchy, consider your functional or regional needs and understand the difference between pre-rules and post-rules.
    For example, create any Security pre-rules that you want managed firewalls to apply without exception while creating Security post-rules to act as a cleanup for any traffic that did not match a Security pre-rule.
  • Avoid overuse of the
    Shared
    device group so you do not exceed the capacity limits for smaller managed firewalls. Managing configuration objects at the appropriate device group level helps minimize the number of
    Out of Sync
    firewalls more efficiently because all firewalls become
    Out of Sync
    if a single shared configuration object is modified.
  • Configure custom regions by using custom address objects to specify address ranges or geolocations.
    While enterprises use the RFC 1918 address space, policies governing the entire 10.0.0x network are not helpful. Instead define custom regions by using custom address objects to specify address ranges or geolocations. This allows you to create more granular and relevant policies to reduce your attack surface.
  • Configure the
    Master Device
    for each device group to enable Panorama to gather user group mappings. Having a Master Device configured in the device group makes user groups available when creating policy rules. Additionally, you can filter the ACC and Monitor tabs using the user group mappings gathered by Panorama.
  • Associate
    Reference Templates
    to refer to network configuration objects contained in a template that the managed firewall does not belong to in order to complete a security configuration. This allows you to take full advantage of common configuration objects across device groups and templates without overuse of the
    Shared
    device group or recreating the identical network configuration objects.

Recommended For You