Defining Policies on Panorama

Device Groups on Panorama allow you to centrally manage policies on the firewalls. Policies defined on Panorama are created either as Pre Rules or Post Rules; Pre Rules and Post Rules allow you to create a layered approach in implementing policy.
Pre rules and Post rules can be defined in a shared context as shared policies for all managed firewalls or in a device group context to make it specific to a device group. Because Pre rules and Post Rules are defined on Panorama and then pushed from Panorama to the managed firewalls, you can view the rules on the managed firewalls but can edit the Pre Rules and Post Rules only in Panorama.
  • Pre Rules—Rules that are added to the top of the rule order and are evaluated first. You can use pre-rules to enforce the Acceptable Use Policy for an organization; for example, to block access to specific URL categories or to allow DNS traffic for all users.
  • Post Rules—Rules that are added at the bottom of the rule order and are evaluated after the pre-rules and rules that are locally defined on the firewall. Post-rules typically include rules to deny access to traffic based on the App-ID™, User-ID™, or Service.
  • Default Rules—Rules that specify how the firewall handles traffic that does not match any Pre Rules, Post Rules, or local firewall rules. These rules are part of the predefined Panorama configuration. To Override and enable editing of select settings in these rules, see Overriding or Reverting a Security Policy Rule.
Preview Rules to view a list of all rules before you push the rules to the managed firewalls. Within each rulebase, the hierarchy of rules is visually demarcated for each device group (and managed firewall) to make it easier to scan through a large numbers of rules.
When you add or edit a rule in Panorama, a Target tab displays. You can use this tab to apply the rule to specific firewalls or descendant device groups of the Device Group (or Shared location) where the rule is defined. In the Target tab, Any is selected by default, which means the rule applies to all the firewalls and descendant device groups. To target specific firewalls or device groups, clear Any and select their names. To exclude specific firewalls or device groups, clear Any, select their names, and select Target to all but these specified devices. If the list of device groups and firewalls is long, you can apply Filters to search the entries by attributes (such as Platforms) or by a text string for matching names.
To create policies, see the relevant section for each rulebase:

Related Documentation