Manage Precedence of Inherited Objects

By default, when device groups at different levels in the Device Group Hierarchy have an object with the same name but different values (because of overrides, as an example), policy rules in a descendant device group use the object values in that descendant instead of using object values inherited from ancestor device groups. Optionally, you can reverse this order of precedence to push values from the highest ancestor containing the object to all descendant device groups. After you enable this option, the next time you push configuration changes to device groups, the values of inherited objects replace the values of any overridden objects in the descendant device groups. The figure below demonstrates the precedence of inherited objects in a device group:
dg-precedence-example.png
If a firewall has locally defined objects with the same name as shared or device group objects that Panorama pushes, a commit failure occurs.
If you want to revert a specific overridden object to its ancestor values instead of pushing ancestor values to all overridden objects, see Revert to Inherited Object Values.
  1. Select
    Panorama
    Setup
    Management
    and edit the Panorama Settings.
  2. If you want to reverse the default order of precedence, select
    Objects defined in ancestors will take higher precedence
    . The dialog then displays the
    Find Overridden Objects
    link, which provides the option to see how many overridden (shadowed) objects will have ancestor values after you commit this change. You can hover over the quantity message to display the object names.
    If you want to revert to the default order of precedence, clear
    Objects defined in ancestors will take higher precedence
    .
    Find Overridden Objects
    only detects a Shared device group object that shares a name with another object in the device group.
  3. Click
    OK
    to save your changes.
  4. Select
    Commit
    Commit to Panorama
    and
    Commit
    your changes.
  5. (
    Optional
    ) If you selected
    Objects defined in ancestors will take higher precedence
    , Panorama does not push the ancestor objects until you push configuration changes to device groups: select
    Commit
    Push to Devices
    and
    Push
    your changes.

Related Documentation