Device Groups on Panorama allow you to centrally manage policies on the firewalls. Policies defined on Panorama are either created as Pre Rules or as Post Rules ; Pre Rules and Post Rules allow you to create a layered approach in implementing policy.
Pre rules and Post rules can be defined in a shared context as shared policies for all managed firewalls, or in a device group context to make it specific to a device group. Because Pre rules and Post Rules are defined on Panorama and then pushed from Panorama to the managed firewalls, you can view the rules on the managed firewalls, but can only edit the Pre Rules and Post Rules in Panorama.
Pre Rules —Rules that are added to the top of the rule order and are evaluated first. You can use pre-rules to enforce the Acceptable Use Policy for an organization; for example, to block access to specific URL categories, or to allow DNS traffic for all users. Post Rules —Rules that are added at the bottom of the rule order and are evaluated after the pre-rules and the rules locally defined on the firewall. Post-rules typically include rules to deny access to traffic based on the App-ID™, User-ID, or Service. Default Rules —Rules that instruct the firewall how to handle traffic that does not match any Pre Rules, Post Rules, or local firewall rules. These rules are part of Panorama’s predefined configuration. You must Override them to enable editing of select settings in these rules (see Overriding or Reverting a Security Policy Rule).
Use Preview Rules to view a list of the rules before you push the rules to the managed firewalls. Within each rulebase, the hierarchy of rules is visually demarcated for each device group (and managed firewall) to make it easier to scan through a large numbers of rules.
To create policies, see the relevant section for each rulebase:

Related Documentation