Device groups comprise firewalls and virtual systems you want to manage as a group, such as firewalls that manage a group of branch offices or individual departments in a company. Panorama treats each group as a single unit when applying policies. A firewall can belong to only one device group. Because virtual systems are distinct entities in Panorama, you can assign virtual systems within a firewall to different device groups.
You can nest device groups in a tree hierarchy of up to four levels under the Shared location to implement a layered approach for managing policies across the network of firewalls. At the bottom level, a device group can have parent, grandparent, and great-grandparent device groups at successively higher levels—collectively called ancestors—from which it inherits policies and objects. At the top level, a device group can have child, grandchild, and great-grandchild device groups—collectively called descendants. In the Device Groups page, the Name column reflects this hierarchy.
After adding, editing, or deleting a device group, you must perform both a Panorama and device group commit (see Commit Your Changes in Panorama). Panorama then pushes configuration changes to firewalls assigned to the device group. To configure a device group, click Add and complete the following fields.
Device Group Setting Description
Name Enter a name to identify the group (up to 31 characters). The name is case-sensitive and must be unique across the entire device group hierarchy. Use only letters, numbers, spaces, hyphens, and underscores.
Description Enter a description for the device group.
Devices Select each firewall that you want to add to the device group. If the list of firewalls is long, you can filter by Device State, Platforms, Templates, or Tags. The Filters section displays (in parentheses) the number of managed firewalls for each of these categories. If the purpose of a device group is purely organizational (that is, to contain other device groups), you don’t need to assign firewalls to it.
Select All Selects every firewall and virtual system in the list.
Deselect All Deselects every firewall and virtual system in the list.
Group HA Peers Select this option to group firewalls that are peers in a high availability (HA) configuration. The list then displays the active (or active-primary in an active/active configuration) firewall first and the passive (or active-secondary in an active/active configuration) firewall in parentheses. This enables you to easily identify firewalls that are in HA mode. When pushing shared policies, you can push to the grouped pair instead of individual peers. For HA peers in an active/passive configuration, consider adding both firewalls or their virtual systems to the same device group. This enables you to push the configuration to both peers simultaneously.
Filter Selected If you want the Devices list to display only specific firewalls, select the firewalls and then Filter Selected.
Parent Device Group Relative to the device group you are defining, select the device group (or the Shared location) that is just above it in the hierarchy (default is Shared).
Master Device Select the one firewall in the device group from which Panorama will collect User-ID™ information for use in policies. The collected user and group mapping information is specific to the device group.

Related Documentation