Use Device Groups to Push Policy Rules

The third task in Use Case: Configure Firewalls Using Panorama is to create the device groups to manage policy rules on the firewalls.
  1. Create device groups and assign the appropriate firewalls to each device group: see Add a Device Group.
    In this example, create device groups named DG_BranchAndRegional and DG_DataCenter.
    When configuring the DG_BranchAndRegional device group, you must assign a Master firewall. This is the only firewall in the device group that gathers user and group mapping information for policy evaluation.
  2. Create a shared pre-rule to allow DNS and SNMP services.
    1. Create a shared application group for the DNS and SNMP services.
      1. Select ObjectsApplication Group and click Add.
      2. Enter a Name and select the Shared check box to create a shared application group object.
      3. Click Add, type DNS, and select dns from the list. Repeat for SNMP and select snmp, snmp-trap.
      4. Click OK to create the application group.
    2. Create the shared rule.
      1. Select the Policies tab and, in the Device Group drop-down, select Shared.
      2. Select the SecurityPre-Rules rulebase.
      3. Click Add and enter a Name for the security rule.
      4. In the Source and Destination tabs for the rule, click Add and enter a Source Zone and a Destination Zone for the traffic.
      5. In the Applications tab, click Add, type the name of the applications group object you just created, and select it from the drop-down.
      6. In the Actions tab, set the Action to Allow, and click OK.
  3. Define the corporate acceptable use policy for all offices. In this example, create a shared rule that restricts access to some URL categories and denies access to peer-to-peer traffic that is of risk level 3, 4, or 5.
    1. Select the Policies tab and, in the Device Group drop-down, select Shared.
    2. Select SecurityPre-Rules and click Add.
    3. In the General tab, enter a Name for the security rule.
    4. In the Source and Destination tabs, click Add and select any for the traffic Source Zone and Destination Zone.
    5. In the Application tab, define the application filter:
      1. Click Add and click New Application Filter in the footer of the drop-down.
      2. Enter a Name, and select the Shared check box.
      3. In the Risk column, select levels 3, 4, and 5.
      4. In the Technology column, select peer-to-peer.
      5. Click OK to save the new filter.
    6. In the Service/URL Category tab, URL Category section, click Add and select the categories you want to block (for example, streaming-media, dating, and online-personal-storage).
    7. You can also attach the default URL Filtering profile—In the Actions tab, Profile Setting section, select the Profile Type option Profiles, and select the URL Filtering option default.
    8. Click OK to save the security pre-rule.
  4. Allow Facebook for all users in the Marketing group in the regional offices only.
    Enabling a security rule based on user and group has the following prerequisite tasks:
    1. Select the Policies tab and, in the Device Group drop-down, select DG_BranchAndRegional.
    2. Select the SecurityPre-Rules rulebase.
    3. Click Add and enter a Name for the security rule.
    4. In the Source tab, Add the Source Zone that contains the Marketing group users.
    5. In the Destination tab, Add the Destination Zone.
    6. In the User tab, Add the Marketing user group to the Source User list.
    7. In the Application tab, click Add, type Facebook, and then select it from the drop-down.
    8. In the Action tab, set the Action to Allow.
    9. In the Target tab, select the regional office firewalls and click OK.
  5. Allow access to the Amazon cloud application for the specified hosts/servers in the data center.
    1. Create an address object for the servers/hosts in the data center that need access to the Amazon cloud application.
      1. Select ObjectsAddresses and, in the Device Group drop-down, select DG_DataCenter.
      2. Click Add and enter a Name for the address object.
      3. Select the Type, and specify an IP address and netmask (IP Netmask), range of IP addresses (IP Range), or FQDN.
      4. Click OK to save the object.
    2. Create a security rule that allows access to the Amazon cloud application.
      1. Select PoliciesSecurityPre-Rules and, in the Device Group drop-down, select DG_DataCenter.
      2. Click Add and enter a Name for the security rule.
      3. Select the Source tab, Add the Source Zone for the data center, and Add the address object (Source Address) you just defined.
      4. Select the Destination tab and Add the Destination Zone.
      5. Select the Application tab, click Add, type amazon, and select the Amazon applications from the list.
      6. Select the Action tab and set the Action to Allow.
      7. Click OK to save the rule.
  6. To enable logging for all internet-bound traffic on your network, create a rule that matches trust zone to untrust zone.
    1. Select the Policies tab and, in the Device Group drop-down, select Shared.
    2. Select the SecurityPre-Rules rulebase.
    3. Click Add and enter a Name for the security rule.
    4. In the Source and Destination tabs for the rule, Addtrust_zone as the Source Zone and untrust_zone as the Destination Zone.
    5. In the Action tab, set the Action to Deny, set the Log Setting to Log at Session end, and click OK.

Related Documentation