Use Device Groups to Push Policy Rules
The third task in Use
Case: Configure Firewalls Using Panorama is to create the
device groups to manage policy rules on the firewalls.
- Create device groups and assign the appropriate firewalls to each device group: see Add a Device Group.In this example, create device groups named DG_BranchAndRegional and DG_DataCenter.When configuring the DG_BranchAndRegional device group, you must assign aMasterfirewall. This is the only firewall in the device group that gathers user and group mapping information for policy evaluation.
- Create a shared pre-rule to allow DNS and SNMP services.
- Create a shared application group for the DNS and SNMP services.
- Selectand clickObjectsApplication GroupAdd.
- Enter aNameand select theSharedcheck box to create a shared application group object.
- ClickAdd, typeDNS, and selectdnsfrom the list. Repeat for SNMP and selectsnmp,snmp-trap.
- ClickOKto create the application group.
- Create the shared rule.
- Select thePoliciestab and, in theDevice Groupdrop-down, selectShared.
- Select therulebase.SecurityPre-Rules
- ClickAddand enter aNamefor the security rule.
- In theSourceandDestinationtabs for the rule, clickAddand enter aSource Zoneand aDestination Zonefor the traffic.
- In theApplicationstab, clickAdd, type the name of the applications group object you just created, and select it from the drop-down.
- In theActionstab, set theActiontoAllow, and clickOK.
- Define the corporate acceptable use policy for all offices. In this example, create a shared rule that restricts access to some URL categories and denies access to peer-to-peer traffic that is of risk level 3, 4, or 5.
- Select thePoliciestab and, in theDevice Groupdrop-down, selectShared.
- Selectand clickSecurityPre-RulesAdd.
- In theGeneraltab, enter aNamefor the security rule.
- In theSourceandDestinationtabs, clickAddand selectanyfor the trafficSource ZoneandDestination Zone.
- In theApplicationtab, define the application filter:
- ClickAddand clickNew Application Filterin the footer of the drop-down.
- Enter aName, and select theSharedcheck box.
- In the Risk column, select levels3,4, and5.
- In the Technology column, selectpeer-to-peer.
- ClickOKto save the new filter.
- In theService/URL Categorytab, URL Category section, clickAddand select the categories you want to block (for example,streaming-media,dating, andonline-personal-storage).
- You can also attach the default URL Filtering profile—In theActionstab, Profile Setting section, select theProfile TypeoptionProfiles, and select theURL Filteringoptiondefault.
- ClickOKto save the security pre-rule.
- Allow Facebook for all users in the Marketing group in the regional offices only.Enabling a security rule based on user and group has the following prerequisite tasks:
- Set up User-ID on the firewalls.
- Enable User-ID for each zone that contains the users you want to identify.
- Define a master firewall for the DG_BranchAndRegional device group (see step 1).
- Select thePoliciestab and, in theDevice Groupdrop-down, select DG_BranchAndRegional.
- Select therulebase.SecurityPre-Rules
- ClickAddand enter aNamefor the security rule.
- In theSourcetab,Addthe Source Zone that contains the Marketing group users.
- In theDestinationtab,Addthe Destination Zone.
- In theUsertab,Addthe Marketing user group to the Source User list.
- In theApplicationtab, clickAdd, typeFacebook, and then select it from the drop-down.
- In theActiontab, set theActiontoAllow.
- In theTargettab, select the regional office firewalls and clickOK.
- Allow access to the Amazon cloud application for the specified hosts/servers in the data center.
- Create an address object for the servers/hosts in the data center that need access to the Amazon cloud application.
- Selectand, in theObjectsAddressesDevice Groupdrop-down, select DG_DataCenter.
- ClickAddand enter aNamefor the address object.
- Select theType, and specify an IP address and netmask (IP Netmask), range of IP addresses (IP Range), orFQDN.
- ClickOKto save the object.
- Create a security rule that allows access to the Amazon cloud application.
- Selectand, in thePoliciesSecurityPre-RulesDevice Groupdrop-down, select DG_DataCenter.
- ClickAddand enter aNamefor the security rule.
- Select theSourcetab,Addthe Source Zone for the data center, andAddthe address object (Source Address) you just defined.
- Select theDestinationtab andAddthe Destination Zone.
- Select theApplicationtab, clickAdd, typeamazon, and select the Amazon applications from the list.
- Select theActiontab and set theActiontoAllow.
- ClickOKto save the rule.
- To enable logging for all internet-bound traffic on your network, create a rule that matches trust zone to untrust zone.
- Select thePoliciestab and, in theDevice Groupdrop-down, selectShared.
- Select therulebase.SecurityPre-Rules
- ClickAddand enter aNamefor the security rule.
- In theSourceandDestinationtabs for the rule,Addtrust_zoneas the Source Zone anduntrust_zoneas the Destination Zone.
- In theActiontab, set theActiontoDeny, set theLog SettingtoLog at Session end, and clickOK.
Recommended For You
Recommended Videos
Recommended videos not found.