You can Create a Device Group Hierarchy to
nest device groups in a tree hierarchy of up to four levels, with
lower-level groups inheriting the settings (policy rules and objects)
of higher-level groups. At the bottom level, a device group can have
parent, grandparent, and great-grandparent device groups (
At the top level, a device group can have child, grandchild, and
great-grandchild device groups (
). All device
groups inheriting settings from the
container at the top of the hierarchy for configurations that are
common to all device groups.
Creating a device group hierarchy enables you to organize firewalls
based on common policy requirements without redundant configuration.
For example, you could configure shared settings that are global
to all firewalls, configure device groups with function-specific
settings at the first level, and configure device groups with location-specific
settings at lower levels. Without a hierarchy, you would have to
configure both function- and location-specific settings for every
device group in a single level under Shared.
For details on the order in which firewalls evaluate policy rules
in a device group hierarchy, see Device Group Policies.
For details on overriding the values of objects that device groups
inherit from ancestor device groups, see Device Group Objects.
In a multiple Panorama plugin deployment to perform, a device
group containing firewalls deployed in a particular hypervisor cannot
be the child or parent of a device group containing firewalls deployed
in a different hypervisor. For example, if Panorama receives IP
address updates from VMware NSX-V and AWS, you cannot create a device
group of NSX-V VM-Series firewalls that is a child of an AWS VM-Series
firewall device group.