A policy target allows you to specify the firewalls in a device group to which to push policy rules. It allows you to exclude one or more firewalls or virtual systems, or to apply a rule only to specific firewalls or virtual systems in a device group.
The ability to target a rule enables you to keep policies centralized on Panorama; it offers visibility and efficiency in managing the rules. Instead of creating local rules on a only or virtual system, targeted rules allow you to define the rules (as shared or device group pre- or post-rules) on Panorama (for details, see Device Group Policies).
Push a Policy Rule to a Subset of Firewalls
Create a rule. In this example, we define a pre-rule in the Security rulebase that permits users on the internal network to access the servers in the DMZ. Select the Policies tab and select the Device Group for which you want to define a rule. Select the rulebase. For this example, select Policies > Security > Pre-Rules. Click Add and, in the General tab, enter a descriptive rule Name. In the Source tab, set the Source Zone to Trust. In the Destination tab, set the Destination Zone to DMZ. In the Service/ URL Category tab, set the Service to application-default. In the Actions tab, set the Action to Allow. Leave all the other options at the default values.
Target the rule to include or exclude a subset of firewalls. To apply the rule to a selected set of firewalls: Select the Target tab in the Policy Rule window. Select the firewalls on which you want the rule to apply. If you do not select firewalls to target, the rule is added to all of the (unchecked) firewalls in the device group. By default, although the check box for the virtual systems in the device group is unchecked, all the virtual systems will inherit the rule on commit. Select the check box for one or more virtual systems to which you want the rule to apply. ( Optional ) To exclude a subset of firewalls from inheriting the rule, select the check box Install on all but specified devices. If you select Install on all but specified devices and do not select any firewall, the rule is added to none of the firewalls in the device group. Click OK to add the rule. Save the configuration changes. Click Commit, for the Commit Type select Panorama, and click Commit again. Click Commit, for the Commit Type select Device Group, select the device group to which you just added the rule, and click Commit again.

Related Documentation