Manage Precedence of Inherited Objects
By default, when device groups at different levels in the Device Group Hierarchy have an object with the same name but different values (because of overrides, as an example), policy rules in a descendant device group use the object values in that descendant instead of using object values inherited from ancestor device groups. Optionally, you can reverse this order of precedence to push values from the highest ancestor containing the object to all descendant device groups. After you enable this option, the next time you push configuration changes to device groups, the values of inherited objects replace the values of any overridden objects in the descendant device groups. The figure below demonstrates the precedence of inherited objects in a device group:
If a firewall has locally defined objects with the same name as shared or device group objects that Panorama pushes, a commit failure occurs.
If you want to revert a specific overridden object to its ancestor values instead of pushing ancestor values to all overridden objects, see Revert to Inherited Object Values.
- Select PanoramaSetupManagement and edit the Panorama Settings.
- If you want to reverse the default order of precedence,
select Objects defined in ancestors will take higher
precedence. The dialog then displays the Find
Overridden Objects link, which provides the option to
see how many overridden (shadowed) objects will have ancestor values
after you commit this change. You can hover over the quantity message
to display the object names.If you want to revert to the default order of precedence, clear Objects defined in ancestors will take higher precedence.Find Overridden Objects only detects a Shared device group object that shares a name with another object in the device group.
- Click OK to save your changes.
- Select CommitCommit to Panorama and Commit your changes.
- (Optional) If you selected Objects defined in ancestors will take higher precedence, Panorama does not push the ancestor objects until you push configuration changes to device groups: select CommitPush to Devices and Push your changes.
Device Group Objects
Device Group Objects Objects are configuration elements that policy rules reference, for example: IP addresses, URL categories, security profiles, users, services, and applications. Rules of ...
Override or Revert an Object
Override or Revert an Object In Panorama, you can nest device groups in a tree hierarchy of up to four levels. At the bottom level, ...
Revert to Inherited Object Values
Revert to Inherited Object Values After overriding the values that a device group object inherits from an ancestor device group, you can revert the object ...
Manage Device Groups
Manage Device Groups Add a Device Group Create a Device Group Hierarchy Create Objects for Use in Shared or Device Group Policy Revert to Inherited ...
Create a Device Group Hierarchy
Create a Device Group Hierarchy Plan the Device Group Hierarchy . Decide the device group levels, and which firewalls and virtual systems you will assign ...
Create Objects for Use in Shared or Device Group Policy
Create Objects for Use in Shared or Device Group Policy You can use an object in any policy rule that is in the Shared location, ...
Device Group Hierarchy
Device Group Hierarchy You can Create a Device Group Hierarchy to nest device groups in a tree hierarchy of up to four levels, with lower-level ...
Device Group Policies
Device Group Policies Device groups provide a way to implement a layered approach for managing policies across a network of managed firewalls. A firewall evaluates ...
Device > Setup > Management
Device > Setup > Management Device > Setup > Management Panorama > Setup > Management On a firewall, select Device Setup Management to configure management ...