Strata Copilot
    Panorama Administrator's Guide
    : Move a Firewall to a Different Device Group
    Focus
    Download PDF
    Focus
    1. Home
    2. Panorama
    3. Panorama Administrator's Guide
    4. Manage Firewalls
    5. Manage Device Groups
    6. Move a Firewall to a Different Device Group
    Download PDF

    Panorama Administrator's Guide

    Move a Firewall to a Different Device Group

    Table of Contents

    Move a Firewall to a Different Device Group

    Migrate a managed firewall from one device group to another on Panorama to change its policy and object inheritance.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Panorama)
    • Panorama administrator or device group administrator role
    Move a firewall to a different device group when organizational changes require different security policies and objects. Common scenarios include organizational restructuring, mergers and acquisitions, role-based policy changes, or migrating workloads between business units. Each managed firewall or virtual system can belong to only one device group at a time. Moving a firewall changes which policies and objects it inherits from Panorama.
    Moving a firewall to a new device group removes all policies and objects inherited from the old group. If the firewall relies on specific security rules, NAT rules, or objects from the old device group, move or clone them to the new device group (or a shared parent) before moving the device to prevent traffic drops and avoid validation errors.
    If you do not move required policies and objects first, you may encounter validation errors including:
    • Duplicate object names across rulebases
    • Duplicate addresses and address groups
    • Duplicate VPN tunnels and NAT rules
    • Invalid IP address references
    • Configuration conflicts that prevent commits
    1. (Optional but Recommended) Move or clone required policies and objects to the new device group.
      If the firewall depends on policies or objects that exist only in the old device group, move or clone them to the new device group before moving the firewall.
      1. Select PoliciesSecurity (or the relevant policy type).
      2. For Device Group, choose the source device group (the group the firewall is currently in).
      3. Select the policy rules you want to keep for the firewall.
      4. Click Move (to remove from the old group and add to the new group) or Clone (to keep in the old group and add to the new group).
      5. Select the destination device group and click OK.
      6. Repeat for any required address objects, address groups, service objects, or other policy objects.
        For more information, see Move or Clone a Policy Rule or Object to a Different Device Group.
    2. Move the firewall to the new device group.
      1. Select PanoramaDevice Groups.
      2. In the device group list, select the source device group (the group the firewall is currently in).
        Click Edit to open the device group configuration.
      3. In the Devices section, uncheck the box next to the firewall to remove it from this device group.
      4. Click OK.
      5. In the device group list, select the destination device group (the group you want to move the firewall to).
        Click Edit to open the device group configuration.
      6. In the Devices section, check the box next to the firewall to add it to this device group.
      7. Click OK.
    3. Commit the changes to Panorama.
      1. Click Commit and select Commit to Panorama.
      2. Verify the changes and click Commit.
        This updates Panorama to reflect that the device now belongs to the new device group. The firewall has not yet received the new configuration.
    4. Push the configuration to the firewall.
      1. Click Commit and select Push to Devices (or Commit and Push if you skipped the previous step).
      2. Click Edit Selections.
      3. In the Device Groups tab, select the destination device group.
      4. Ensure the firewall you moved is selected in the device list.
      5. (Optional) Select Force Template Values if the new device group or template stack has significantly different network settings you need to enforce.
        A standard push is usually sufficient for policy and object changes. Use Force Template Values only when you need to override local template settings on the firewall.
      6. Click OK and then click Push.
    5. Verify the firewall received the configuration from the new device group.
      1. Select PanoramaManaged DevicesSummary.
      2. Verify the Device State shows Connected and the Config column shows In sync.
      3. Verify the Device Group column shows the correct destination device group name.
    Alternative Method: Use Device Reassociation
    You can also move a firewall between device groups using the Reassociate function in Panorama. This method allows you to change the device group assignment along with template stack and other associations in a single operation.

    © 2026 Palo Alto Networks, Inc. All rights reserved.