Push a Policy Rule to a Subset of Firewalls

A policy target allows you to specify the firewalls in a device group to which to push policy rules. It allows you to exclude one or more firewalls or virtual systems, or to apply a rule only to specific firewalls or virtual systems in a device group.
The ability to target a rule enables you to keep policies centralized on Panorama; it offers visibility and efficiency in managing the rules. Instead of creating local rules on a only or virtual system, targeted rules allow you to define the rules (as shared or device group pre- or post-rules) on Panorama (for details, see Device Group Policies).
  1. Create a rule.
    In this example, we define a pre-rule in the Security rulebase that permits users on the internal network to access the servers in the DMZ.
    1. Select the Policies tab and select the Device Group for which you want to define a rule.
    2. Select the rulebase. For this example, select PoliciesSecurityPre-Rules.
    3. Click Add and, in the General tab, enter a descriptive rule Name.
    4. In the Source tab, set the Source Zone to Trust.
    5. In the Destination tab, set the Destination Zone to DMZ.
    6. In the Service/ URL Category tab, set the Service to application-default.
    7. In the Actions tab, set the Action to Allow.
    8. Leave all the other options at the default values.
  2. Target the rule to include or exclude a subset of firewalls.
    To apply the rule to a selected set of firewalls:
    1. Select the Target tab in the Policy Rule window.
    2. Select the firewalls on which you want the rule to apply.
      If you do not select firewalls to target, the rule is added to all of the (unchecked) firewalls in the device group.
      By default, although the check box for the virtual systems in the device group is unchecked, all the virtual systems will inherit the rule on commit. Select the check box for one or more virtual systems to which you want the rule to apply.
    3. (Optional) To exclude a subset of firewalls from inheriting the rule, select the check box Install on all but specified devices.
      If you select Install on all but specified devices and do not select any firewall, the rule is added to none of the firewalls in the device group.
    4. Click OK to add the rule.
  3. Commit and push the configuration changes.
    1. Select CommitCommit and Push and Edit Selections in the Push Scope
    2. Select Device Groups, select the device group where you added the rule, and click OK.
    3. Commit and Push your changes to the Panorama configuration and to device groups.

Related Documentation