Use Device Groups to Push Policy Rules
Table of Contents
Expand all | Collapse all
-
- Determine Panorama Log Storage Requirements
-
- Setup Prerequisites for the Panorama Virtual Appliance
- Perform Initial Configuration of the Panorama Virtual Appliance
- Set Up The Panorama Virtual Appliance as a Log Collector
- Set Up the Panorama Virtual Appliance with Local Log Collector
- Set up a Panorama Virtual Appliance in Panorama Mode
- Set up a Panorama Virtual Appliance in Management Only Mode
-
- Preserve Existing Logs When Adding Storage on Panorama Virtual Appliance in Legacy Mode
- Add a Virtual Disk to Panorama on an ESXi Server
- Add a Virtual Disk to Panorama on vCloud Air
- Add a Virtual Disk to Panorama on Alibaba Cloud
- Add a Virtual Disk to Panorama on AWS
- Add a Virtual Disk to Panorama on Azure
- Add a Virtual Disk to Panorama on Google Cloud Platform
- Add a Virtual Disk to Panorama on Hyper-V
- Add a Virtual Disk to Panorama on KVM
- Add a Virtual Disk to Panorama on Oracle Cloud Infrastructure (OCI)
- Mount the Panorama ESXi Server to an NFS Datastore
-
- Increase CPUs and Memory for Panorama on an ESXi Server
- Increase CPUs and Memory for Panorama on vCloud Air
- Increase CPUs and Memory for Panorama on Alibaba Cloud
- Increase CPUs and Memory for Panorama on AWS
- Increase CPUs and Memory for Panorama on Azure
- Increase CPUs and Memory for Panorama on Google Cloud Platform
- Increase CPUs and Memory for Panorama on Hyper-V
- Increase CPUs and Memory for Panorama on KVM
- Increase CPUs and Memory for Panorama on Oracle Cloud Infrastructure (OCI)
- Complete the Panorama Virtual Appliance Setup
-
- Convert Your Evaluation Panorama to a Production Panorama with Local Log Collector
- Convert Your Evaluation Panorama to a Production Panorama without Local Log Collector
- Convert Your Evaluation Panorama to VM-Flex Licensing with Local Log Collector
- Convert Your Evaluation Panorama to VM-Flex Licensing without Local Log Collector
- Convert Your Production Panorama to an ELA Panorama
-
- Register Panorama
- Activate a Panorama Support License
- Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is Internet-connected
- Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is not Internet-connected
- Activate/Retrieve a Firewall Management License on the M-Series Appliance
- Install the Panorama Device Certificate
-
- Panorama, Log Collector, Firewall, and WildFire Version Compatibility
- Install Updates for Panorama in an HA Configuration
- Install Updates for Panorama with an Internet Connection
- Install Updates for Panorama When Not Internet-Connected
- Install Updates Automatically for Panorama without an Internet Connection
- Migrate Panorama Logs to the New Log Format
-
- Migrate from a Panorama Virtual Appliance to an M-Series Appliance
- Migrate a Panorama Virtual Appliance to a Different Hypervisor
- Migrate from an M-Series Appliance to a Panorama Virtual Appliance
- Migrate from an M-100 Appliance to an M-500 Appliance
- Migrate from an M-100 or M-500 Appliance to an M-200 or M-600 Appliance
-
- Configure an Admin Role Profile
- Configure an Access Domain
-
- Configure a Panorama Administrator Account
- Configure Local or External Authentication for Panorama Administrators
- Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface
- Configure an Administrator with SSH Key-Based Authentication for the CLI
- Configure RADIUS Authentication for Panorama Administrators
- Configure TACACS+ Authentication for Panorama Administrators
- Configure SAML Authentication for Panorama Administrators
-
- Add a Firewall as a Managed Device
-
- Add a Device Group
- Create a Device Group Hierarchy
- Create Objects for Use in Shared or Device Group Policy
- Revert to Inherited Object Values
- Manage Unused Shared Objects
- Manage Precedence of Inherited Objects
- Move or Clone a Policy Rule or Object to a Different Device Group
- Push a Policy Rule to a Subset of Firewalls
- Manage the Rule Hierarchy
- Manage the Master Key from Panorama
- Redistribute Data to Managed Firewalls
-
- Add Standalone WildFire Appliances to Manage with Panorama
- Remove a WildFire Appliance from Panorama Management
-
-
- Configure a Cluster and Add Nodes on Panorama
- Configure General Cluster Settings on Panorama
- Remove a Cluster from Panorama Management
- Configure Appliance-to-Appliance Encryption Using Predefined Certificates Centrally on Panorama
- Configure Appliance-to-Appliance Encryption Using Custom Certificates Centrally on Panorama
- View WildFire Cluster Status Using Panorama
- Upgrade a Cluster Centrally on Panorama with an Internet Connection
- Upgrade a Cluster Centrally on Panorama without an Internet Connection
-
-
- Manage Licenses on Firewalls Using Panorama
-
- Supported Updates
- Schedule a Content Update Using Panorama
- Upgrade Log Collectors When Panorama Is Internet-Connected
- Upgrade Log Collectors When Panorama Is Not Internet-Connected
- Upgrade Firewalls When Panorama Is Internet-Connected
- Upgrade Firewalls When Panorama Is Not Internet-Connected
- Upgrade a ZTP Firewall
- Revert Content Updates from Panorama
-
- Preview, Validate, or Commit Configuration Changes
- Enable Automated Commit Recovery
- Compare Changes in Panorama Configurations
- Manage Locks for Restricting Configuration Changes
- Add Custom Logos to Panorama
- Use the Panorama Task Manager
- Reboot or Shut Down Panorama
- Configure Panorama Password Profiles and Complexity
-
-
- Verify Panorama Port Usage
- Resolve Zero Log Storage for a Collector Group
- Replace a Failed Disk on an M-Series Appliance
- Replace the Virtual Disk on an ESXi Server
- Replace the Virtual Disk on vCloud Air
- Migrate Logs to a New M-Series Appliance in Log Collector Mode
- Migrate Logs to a New M-Series Appliance in Panorama Mode
- Migrate Logs to a New M-Series Appliance Model in Panorama Mode in High Availability
- Migrate Logs to the Same M-Series Appliance Model in Panorama Mode in High Availability
- Migrate Log Collectors after Failure/RMA of Non-HA Panorama
- Regenerate Metadata for M-Series Appliance RAID Pairs
- View Log Query Jobs
- Troubleshoot Commit Failures
- Troubleshoot Registration or Serial Number Errors
- Troubleshoot Reporting Errors
- Troubleshoot Device Management License Errors
- Troubleshoot Automatically Reverted Firewall Configurations
- Complete Content Update When Panorama HA Peer is Down
- View Task Success or Failure Status
- Downgrade from Panorama 10.0
End-of-Life (EoL)
Use Device Groups to Push Policy Rules
The third task in Use
Case: Configure Firewalls Using Panorama is to create the
device groups to manage policy rules on the firewalls.
- Create device groups and assign the appropriate firewalls to each device group: see Add a Device Group.In this example, create device groups named DG_BranchAndRegional and DG_DataCenter.When configuring the DG_BranchAndRegional device group, you must assign aMasterfirewall. This is the only firewall in the device group that gathers user and group mapping information for policy evaluation.
- Create a shared pre-rule to allow DNS and SNMP services.
- Create a shared application group for the DNS and SNMP services.
- Selectand clickObjectsApplication GroupAdd.
- Enter aNameand select theSharedcheck box to create a shared application group object.
- ClickAdd, typeDNS, and selectdnsfrom the list. Repeat for SNMP and selectsnmp,snmp-trap.
- ClickOKto create the application group.
- Create the shared rule.
- Select thePoliciestab and, in theDevice Groupdrop-down, selectShared.
- Select therulebase.SecurityPre-Rules
- ClickAddand enter aNamefor the security rule.
- In theSourceandDestinationtabs for the rule, clickAddand enter aSource Zoneand aDestination Zonefor the traffic.
- In theApplicationstab, clickAdd, type the name of the applications group object you just created, and select it from the drop-down.
- In theActionstab, set theActiontoAllow, and clickOK.
- Define the corporate acceptable use policy for all offices. In this example, create a shared rule that restricts access to some URL categories and denies access to peer-to-peer traffic that is of risk level 3, 4, or 5.
- Select thePoliciestab and, in theDevice Groupdrop-down, selectShared.
- Selectand clickSecurityPre-RulesAdd.
- In theGeneraltab, enter aNamefor the security rule.
- In theSourceandDestinationtabs, clickAddand selectanyfor the trafficSource ZoneandDestination Zone.
- In theApplicationtab, define the application filter:
- ClickAddand clickNew Application Filterin the footer of the drop-down.
- Enter aName, and select theSharedcheck box.
- In the Risk column, select levels3,4, and5.
- In the Technology column, selectpeer-to-peer.
- ClickOKto save the new filter.
- In theService/URL Categorytab, URL Category section, clickAddand select the categories you want to block (for example,streaming-media,dating, andonline-personal-storage).
- You can also attach the default URL Filtering profile—In theActionstab, Profile Setting section, select theProfile TypeoptionProfiles, and select theURL Filteringoptiondefault.
- ClickOKto save the security pre-rule.
- Allow Facebook for all users in the Marketing group in the regional offices only.Enabling a security rule based on user and group has the following prerequisite tasks:
- Set up User-ID on the firewalls.
- Enable User-ID for each zone that contains the users you want to identify.
- Define a master firewall for the DG_BranchAndRegional device group (see step 1).
- Select thePoliciestab and, in theDevice Groupdrop-down, select DG_BranchAndRegional.
- Select therulebase.SecurityPre-Rules
- ClickAddand enter aNamefor the security rule.
- In theSourcetab,Addthe Source Zone that contains the Marketing group users.
- In theDestinationtab,Addthe Destination Zone.
- In theUsertab,Addthe Marketing user group to the Source User list.
- In theApplicationtab, clickAdd, typeFacebook, and then select it from the drop-down.
- In theActiontab, set theActiontoAllow.
- In theTargettab, select the regional office firewalls and clickOK.
- Allow access to the Amazon cloud application for the specified hosts/servers in the data center.
- Create an address object for the servers/hosts in the data center that need access to the Amazon cloud application.
- Selectand, in theObjectsAddressesDevice Groupdrop-down, select DG_DataCenter.
- ClickAddand enter aNamefor the address object.
- Select theType, and specify an IP address and netmask (IP Netmask), range of IP addresses (IP Range), orFQDN.
- ClickOKto save the object.
- Create a security rule that allows access to the Amazon cloud application.
- Selectand, in thePoliciesSecurityPre-RulesDevice Groupdrop-down, select DG_DataCenter.
- ClickAddand enter aNamefor the security rule.
- Select theSourcetab,Addthe Source Zone for the data center, andAddthe address object (Source Address) you just defined.
- Select theDestinationtab andAddthe Destination Zone.
- Select theApplicationtab, clickAdd, typeamazon, and select the Amazon applications from the list.
- Select theActiontab and set theActiontoAllow.
- ClickOKto save the rule.
- To enable logging for all internet-bound traffic on your network, create a rule that matches trust zone to untrust zone.
- Select thePoliciestab and, in theDevice Groupdrop-down, selectShared.
- Select therulebase.SecurityPre-Rules
- ClickAddand enter aNamefor the security rule.
- In theSourceandDestinationtabs for the rule,Addtrust_zoneas the Source Zone anduntrust_zoneas the Destination Zone.
- In theActiontab, set theActiontoDeny, set theLog SettingtoLog at Session end, and clickOK.