Manage Unused Shared Objects
When you push configuration changes Device Groups, by default Panorama pushes all shared objects to firewalls whether or not any shared or device group policy rules reference the objects. However, you can configure Panorama to push only the shared objects that rules reference in the device groups. The
Share Unused Address and Service Objects with Devicesoption enables you to limit the objects that Panorama pushes to the managed firewalls.
Share Unused Address and Service Objects with Devicesis disabled, Panorama ignores the
Targetfirewalls when you Push a Policy Rule to a Subset of Firewalls. This means that all objects referenced by any rules are pushed to all firewalls in the device group.
To limit the number of objects pushed to a set of managed firewalls, add the policy rules to a child device group and reference shared objects as needed. See Create a Device Group Hierarchy for more information on creating a child device group.
On lower-end models, such as the PA-200, consider pushing only the relevant shared objects to the managed firewalls. This is because the number of objects that can be stored on the lower-end models is considerably lower than that of the mid- to high-end models. Also, if you have many address and service objects that are unused, clearing
Share Unused Address and Service Objects with Devicesreduces the commit times significantly on the firewalls because the configuration pushed to each firewall is smaller. However, disabling this option might increase the commit time on Panorama because Panorama has to dynamically check whether policy rules reference a particular object.
- Select, and edit the Panorama Settings.PanoramaSetupManagement
- Clear theShare Unused Address and Service Objects with Devicesoption to push only the shared objects that rules reference, or select the option to re-enable pushing all shared objects.
- ClickOKto save your changes.
- SelectandCommitCommit to PanoramaCommityour changes.
Device Group Objects
Device Group Objects Objects are configuration elements that policy rules reference, for example: IP addresses, URL categories, security profiles, users, services, and applications. Rules of ...
Manage Device Groups
Manage Device Groups Add a Device Group Create a Device Group Hierarchy Create Objects for Use in Shared or Device Group Policy Revert to Inherited ...
Manage Precedence of Inherited Objects
Manage Precedence of Inherited Objects By default, when device groups at different levels in the Device Group Hierarchy have an object with the same name ...
Plan Your Multi-NSX Deployment
Plan Your Multi-NSX Deployment You must carefully plan your device group hierarchy and template stacks and consider how they interact with the other components needed ...
Add a Device Group
Add a Device Group After adding firewalls (see Add a Firewall as a Managed Device ), you can group them into Device Groups (up to ...
Create a Device Group Hierarchy
Create a Device Group Hierarchy Plan the Device Group Hierarchy . Decide the device group levels, and which firewalls and virtual systems you will assign ...
Migrate a Firewall to Panorama Management
Migrate a Firewall to Panorama Management When you import a firewall configuration, Panorama automatically creates a template to contain the imported network and device settings. ...
Creating and Managing Policies
Creating and Managing Policies Select the Policies Security page to add , and modify, and manage security policies: Task Description Add To add a new ...