After adding firewalls (see Add a Firewall as a Managed Device), you can group them into Device Groups (up to 1,024), as follows. Be sure to assign both firewalls in
an active-passive high availability (HA) configuration to the same
device group so that Panorama will push the same policy rules and objects
to those firewalls. PAN-OS doesn’t synchronize pushed rules across
HA peers. To manage rules and objects at different administrative
levels in your organization, Create a Device Group Hierarchy.
, and click
Enter a unique
identify the device group.
In the Devices section, select check boxes to assign
firewalls to the group. To search a long list of firewalls, use
You can assign any firewall to only one device group.
You can assign each virtual system on a firewall to a different
Group HA Peers
firewalls that are HA peers.
The firewall name of the passive or active-secondary
peer is in parentheses.
Parent Device Group
) that will be just above the device
group you are creating in the device group hierarchy.
If your policy rules will reference users and groups,
This will be the only firewall in the device group from
which Panorama gathers username and user group information.
to save your changes.
your changes to the Panorama configuration and
to the device group you added.