Create a Device Group Hierarchy
- Plan the Device
- Decide the device group levels, and which firewalls and virtual systems you will assign to each device group and the Shared location. You can assign any one firewall or virtual system (vsys) to only one device group. If a device group will be just an organizational container for lower level device groups, you don’t need to assign firewalls to it.
- Remove firewall or vsys assignments from existing
device groups if those assignments don’t fit your planned hierarchy.
- Select PanoramaDevice Groups and select the device group.
- In the Devices section, clear the check boxes of firewalls and virtual systems you want to remove, and click OK.
- If necessary, add more firewalls that you will assign to device groups: see Add a Firewall as a Managed Device.
- For each
top-level device group, Add
a Device Group.
- In the PanoramaDevice Groups page, click Add and enter a Name to identify the device group.
- In the Devices section, select check boxes to assign firewalls and virtual systems to the device group.
- Leave the Parent Device Group option at Shared (the default) and click OK.
- For each lower-level device group, Add
a Device Group.
If you move a device group to a different parent, all its descendant device groups move with it, along with all firewalls, policy rules, and objects associated with the device group and its descendants. If the new parent is in another access domain, the moved device group will no longer have membership in the original access domain. If the new access domain has read-write access for the parent device group, it will also have read-write access for the moved device group. If the new access domain has read-only access for the parent, it will have no access for the moved device group. To reconfigure access for device groups, see Configure an Access Domain.
- For new device groups at each lower level, repeat Step For each top-level device group, Add a Device Group. but set the Parent Device Group to a device group at the next level above.
- For each existing device group, in the Device Groups page, select the device group to edit it, select a Parent Device Group, and click OK.
- Configure, move, and clone objects and policy rules as
needed to account for inheritance in the device group hierarchy.
You can edit objects only at their location: the device group to which they are assigned. Descendant device groups inherit read-only instances of the objects from that location. However, you can optionally see Step Override inherited object values.
- Create Objects for Use in Shared or Device Group Policy, or edit existing objects.
- Override inherited
object values.Applicable only if object values in a particular device group must differ from the values inherited from an ancestor device group.After overriding an object, you can override it again in descendant device groups. However, you can never override shared or predefined (default) objects.In the Objects tab, inherited objects have a green icon in the Name column, and the Location column displays the ancestor device group.
- In the Objects tab, select the object type (for example, ObjectsAddresses).
- Select the Device Group that will have the override instance.
- Select the object and click Override.
- Edit the values. You can’t edit the Name or Shared settings.
- Click OK. The Name column displays a yellow-overlapping-green icon for the object to indicate it is overridden.
- Save and commit your changes.Commit to Panorama and push to device groups after any change to the hierarchy.You must also push changes to templates if a template references objects in a device group (such as interfaces referencing addresses), and a firewall assigned to the template is no longer assigned to that device group because of a hierarchy change.Select CommitCommit and Push and then Commit and Push your changes to the Panorama configuration and to the device groups you added or changed.
Device Group Objects
Device Group Objects Objects are configuration elements that policy rules reference, for example: IP addresses, URL categories, security profiles, users, services, and applications. Rules of ...
Override or Revert an Object
Override or Revert an Object In Panorama, you can nest device groups in a tree hierarchy of up to four levels. At the bottom level, ...
Manage Precedence of Inherited Objects
Manage Precedence of Inherited Objects By default, when device groups at different levels in the Device Group Hierarchy have an object with the same name ...
Manage Device Groups
Manage Device Groups Add a Device Group Create a Device Group Hierarchy Create Objects for Use in Shared or Device Group Policy Revert to Inherited ...
Create Objects for Use in Shared or Device Group Policy
Create Objects for Use in Shared or Device Group Policy You can use an object in any policy rule that is in the Shared location, ...
Device Group Hierarchy
Device Group Hierarchy You can Create a Device Group Hierarchy to nest device groups in a tree hierarchy of up to four levels, with lower-level ...
Device Group Policies
Device Group Policies Device groups provide a way to implement a layered approach for managing policies across a network of managed firewalls. A firewall evaluates ...
Panorama > Device Groups
Panorama > Device Groups Device groups comprise firewalls and virtual systems you want to manage as a group, such as the firewalls that manage a ...
Plan Your Multi-NSX Deployment
Plan Your Multi-NSX Deployment You must carefully plan your device group hierarchy and template stacks and consider how they interact with the other components needed ...