Panorama > Device Groups
Device groups comprise firewalls and virtual systems you want to manage as a group, such as the firewalls that manage a group of branch offices or individual departments in a company. Panorama treats these groups as single units when applying policies. Firewalls can belong to only one device group but, because virtual systems are distinct entities in Panorama, you can assign virtual systems within a firewall to different device groups.
You can nest device groups in a tree hierarchy of up to four levels under the Shared location to implement a layered approach for managing policies across your network of firewalls. At the bottom level, a device group can have parent, grandparent, and great-grandparent device groups at successively higher levels—collectively called ancestors—from which the bottom-level device group inherits policies and objects. At the top level, a device group can have child, grandchild, and great-grandchild device groups—collectively called descendants. When you select PanoramaDevice Groups, the Name column displays this device group hierarchy.
After adding, editing, or deleting a device group, perform a Panorama commit and device group commit (see Panorama Commit Operations). Panorama then pushes the configuration changes to the firewalls that are assigned to the device group; Panorama supports up to 1,024 device groups.
To configure a device group, Add one and configure the settings as described in the following table.
Device Group Settings
Enter a name to identify the group (up to 31 characters). The name is case-sensitive, must be unique across the entire device group hierarchy, and can contain only letters, numbers, spaces, hyphens, and underscores.
Enter a description for the device group.
Select each firewall that you want to add to the device group. If the list of firewalls is long, you can filter by Device State, Platforms, Templates, or Tags. The Filters section displays (in parentheses) the number of managed firewalls for each of these categories.
If the purpose of a device group is purely organizational (that is, to contain other device groups), you don’t need to assign firewalls to it.
Selects every firewall and virtual system in the list.
Deselects every firewall and virtual system in the list.
Group HA Peers
Select to group firewalls that are peers in a high availability (HA) configuration. The list then displays the active (or active-primary in an active/active configuration) firewall first and the passive (or active-secondary in an active/active configuration) firewall in parentheses. This enables you to easily identify firewalls that are in HA mode. When pushing shared policies, you can push to the grouped pair instead of individual peers.
For HA peers in an active/passive configuration, consider adding both firewalls or their virtual systems to the same device group. This enables you to push the configuration to both peers simultaneously.
If you want the Devices list to display only specific firewalls, select the firewalls and then Filter Selected.
Parent Device Group
Relative to the device group you are defining, select the device group (or the Shared location) that is just above it in the hierarchy (default is Shared).
To configure policy rules and reports based on usernames and user groups, you must select a Master Device. This is the firewall from which Panorama receives usernames, user group names, and username-to-group mapping information.
When you change the Master Device or set it to None, Panorama loses all the user and group information received from that firewall.
Store users and groups from Master Device
This option displays only if you select a Master Device. The option enables Panorama to locally store usernames, user group names, and username-to-group mapping information that it receives from the Master Device. To enable local storage, you must also select PanoramaSetupManagement, edit the Panorama Settings, and Enable reporting and filtering on groups.
Dynamically Added Device Properties—When a new device is added to the device group, Panorama dynamically applies the specified authorization code and PAN-OS software version to the new device. This displays only after a device group is associated with an NSX service definition in Panorama.
Enter the authorization code to be applied to devices added to this device group.
Select the software version to be applied to devices added to this device group.
Create a Device Group Hierarchy
Create a Device Group Hierarchy Plan the Device Group Hierarchy . Decide the device group levels, and which firewalls and virtual systems you will assign ...
Add a Device Group
Add a Device Group After adding firewalls (see Add a Firewall as a Managed Device ), you can group them into Device Groups (up to ...
Defining Policies on Panorama
Defining Policies on Panorama Device Groups on Panorama™ allow you to centrally manage firewall policies. You create policies on Panorama either as Pre Rules or ...
Panorama Commit Operations
Panorama Commit Operations Click Commit at the top right of the web interface and select an operation for pending changes to the Panorama configuration and ...
Device Group Policies
Device Group Policies Device groups provide a way to implement a layered approach for managing policies across a network of managed firewalls. A firewall evaluates ...
Use the Panorama Web Interface
Use the Panorama Web Interface The web interface on both Panorama and the firewall has the same look and feel. However, the Panorama web interface ...
Migrate a Firewall to Panorama Management
Migrate a Firewall to Panorama Management When you import a firewall configuration, Panorama automatically creates a template to contain the imported network and device settings. ...
Push a Policy Rule to a Subset of Firewalls
Push a Policy Rule to a Subset of Firewalls A policy target allows you to specify the firewalls in a device group to which to ...
Create Objects for Use in Shared or Device Group Policy
Create Objects for Use in Shared or Device Group Policy You can use an object in any policy rule that is in the Shared location, ...