Panorama > Device Groups
Device groups comprise firewalls and virtual systems you want to manage as a group, such as the firewalls that manage a group of branch offices or individual departments in a company. Panorama treats these groups as single units when applying policies. Firewalls can belong to only one device group but, because virtual systems are distinct entities in Panorama, you can assign virtual systems within a firewall to different device groups.
You can nest device groups in a tree hierarchy of up to four levels under the Shared location to implement a layered approach for managing policies across your network of firewalls. At the bottom level, a device group can have parent, grandparent, and great-grandparent device groups at successively higher levels—collectively called
ancestors—from which the bottom-level device group inherits policies and objects. At the top level, a device group can have child, grandchild, and great-grandchild device groups—collectively called
descendants. When you select
, the Name column displays this device group hierarchy.
After adding, editing, or deleting a device group, perform a Panorama commit and device group commit (see Panorama Commit Operations). Panorama then pushes the configuration changes to the firewalls that are assigned to the device group; Panorama supports up to 1,024 device groups.
To configure a device group,
Addone and configure the settings as described in the following table.
Device Group Settings
Enter a name to identify the group (up to 31 characters). The name is case-sensitive, must be unique across the entire device group hierarchy, and can contain only letters, numbers, spaces, hyphens, and underscores.
Enter a description for the device group.
Select each firewall that you want to add to the device group. If the list of firewalls is long, you can filter by
Tags. The Filters section displays (in parentheses) the number of managed firewalls for each of these categories.
If the purpose of a device group is purely organizational (that is, to contain other device groups), you don’t need to assign firewalls to it.
Selects every firewall and virtual system in the list.
Deselects every firewall and virtual system in the list.
Group HA Peers
Select to group firewalls that are peers in a high availability (HA) configuration. The list then displays the active (or active-primary in an active/active configuration) firewall first and the passive (or active-secondary in an active/active configuration) firewall in parentheses. This enables you to easily identify firewalls that are in HA mode. When pushing shared policies, you can push to the grouped pair instead of individual peers.
For HA peers in an active/passive configuration, consider adding both firewalls or their virtual systems to the same device group. This enables you to push the configuration to both peers simultaneously.
If you want the Devices list to display only specific firewalls, select the firewalls and then
Parent Device Group
Relative to the device group you are defining, select the device group (or the Shared location) that is just above it in the hierarchy (default is
To configure policy rules and reports based on usernames and user groups, you must select a
Master Device. This is the firewall from which Panorama receives usernames, user group names, and username-to-group mapping information.
When you change the
Master Deviceor set it to
None, Panorama loses all the user and group information received from that firewall.
Store users and groups from Master Device
This option displays only if you select a
Master Device. The option enables Panorama to locally store usernames, user group names, and username-to-group mapping information that it receives from the
Master Device. To enable local storage, you must also select
, edit the Panorama Settings, and Enable reporting and filtering on groups.
Dynamically Added Device Properties—When a new device is added to the device group, Panorama dynamically applies the specified authorization code and PAN-OS software version to the new device. This displays only after a device group is associated with an NSX service definition in Panorama.
Enter the authorization code to be applied to devices added to this device group.
Select the software version to be applied to devices added to this device group.