Push a Policy Rule to a Subset of Firewalls
A policy target allows you to specify the firewalls in a device group to which to push policy rules. It allows you to exclude one or more firewalls or virtual systems, or to apply a rule only to specific firewalls or virtual systems in a device group.
The ability to target a rule enables you to keep policies centralized on Panorama; it offers visibility and efficiency in managing the rules. Instead of creating local rules on a only or virtual system, targeted rules allow you to define the rules (as shared or device group pre- or post-rules) on Panorama (for details, see Device Group Policies).
- Create a rule.In this example, we define a pre-rule in the Security rulebase that permits users on the internal network to access the servers in the DMZ.
- Select the Policies tab and select the Device Group for which you want to define a rule.
- Select the rulebase. For this example, select PoliciesSecurityPre-Rules.
- Click Add and, in the General tab, enter a descriptive rule Name.
- In the Source tab, set the Source Zone to Trust.
- In the Destination tab, set the Destination Zone to DMZ.
- In the Service/ URL Category tab, set the Service to application-default.
- In the Actions tab, set the Action to Allow.
- Leave all the other options at the default values.
- Target the rule to include or exclude a subset of firewalls.To apply the rule to a selected set of firewalls:
- Select the Target tab in the Policy Rule window.
- Select the firewalls on which you want the rule to
apply.If you do not select firewalls to target, the rule is added to all of the (unchecked) firewalls in the device group.By default, although the check box for the virtual systems in the device group is unchecked, all the virtual systems will inherit the rule on commit. Select the check box for one or more virtual systems to which you want the rule to apply.
- (Optional) To exclude a subset of firewalls
from inheriting the rule, select the check box Install
on all but specified devices.If you select Install on all but specified devices and do not select any firewall, the rule is added to none of the firewalls in the device group.
- Click OK to add the rule.
- Commit and push the configuration changes.
- Select CommitCommit and Push and Edit Selections in the Push Scope
- Select Device Groups, select the device group where you added the rule, and click OK.
- Commit and Push your changes to the Panorama configuration and to device groups.
Defining Policies on Panorama
Defining Policies on Panorama Device Groups on Panorama allow you to centrally manage policies on the firewalls. Policies defined on Panorama are created either as ...
Use Device Groups to Push Policy Rules
Use Device Groups to Push Policy Rules The third task in Use Case: Configure Firewalls Using Panorama is to create the device groups to manage ...
Create a Device Group Hierarchy
Create a Device Group Hierarchy Plan the Device Group Hierarchy . Decide the device group levels, and which firewalls and virtual systems you will assign ...
Device Group Policies
Device Group Policies Device groups provide a way to implement a layered approach for managing policies across a network of managed firewalls. A firewall evaluates ...
Manage Unused Shared Objects
Manage Unused Shared Objects When you push configuration changes Device Groups , by default Panorama pushes all shared objects to firewalls whether or not any ...
Panorama > Device Groups
Panorama > Device Groups Device groups comprise firewalls and virtual systems you want to manage as a group, such as the firewalls that manage a ...
Manage Device Groups
Manage Device Groups Add a Device Group Create a Device Group Hierarchy Create Objects for Use in Shared or Device Group Policy Revert to Inherited ...
Add a Device Group
Add a Device Group After adding firewalls (see Add a Firewall as a Managed Device ), you can group them into Device Groups (up to ...
Move or Clone a Policy Rule
Move or Clone a Policy Rule When moving or cloning policies , you can assign a Destination (a virtual system on a firewall or a ...