Create Use Groups in your security
policy rules to make them more effective and readable. Additionally,
you can leverage the Expedition and Best Practice Asessment (BPA) tools
to help iterate through revisions of your rulebase to strengthen
your security posture.
Leverage Global Find when evaluating
your policy rulebase to identify objects or rules that may already
exist. This will help reduce unnecessary clutter in your configuration
that ultimately slow down commits on Panorama.
Troubleshoot your policy rules to
test if a proposed policy rule configuration change is already handled
by an existing rule that only needs modification. This allows you
to reduce any duplicate policy rules and prevent your policy rulebase from
growing too large.
Use tag based rule groups to
identify rule purpose, function, lifecycle or other characteristics
to quickly sort and groups like rules together. Tag based rule groups
allow you to visually distinguish between sets of rules within a
rulebase where they can be managed as a group or you can individually
modify a single rule in the group.
Enforce audit comments for
policy rule creation and modification to support the critical operational
function of supporting security audits. A rule with a well-documented
series of audit comments makes it easier to respond to an audit
request instead of relying on rule descriptions or external tools.
Additionally, you can supplement audit comments by entering a description
when you commit configuration changes to Panorama.
Use dynamic constructs like External Dynamic Lists, Dynamic Address Groups, and Dynamic User Groups to
streamline your configuration and simplify maintenance of your security
policy rulebase. As your environment changes, you can modify these
as necessary without the need to commit.
When creating your security policy rule, avoid selecting
one or more managed firewalls in the Target tab
as it renders the managed firewall configuration synchronization
status unreliable.
This is commonly referred to as policy
targeting. Policy targeting is evaluated on the firewall and not
on Panorama. As a result, managed firewalls that a policy rule is
not pushed to may erroneously display as Out of Sync.
Design your device group hierarchy to
minimize or avoid the need to target policies.