When you push configuration changes Device Groups,
by default Panorama pushes all shared objects to firewalls whether
or not any shared or device group policy rules reference the objects.
However, you can configure Panorama to push only the shared objects
that rules reference in the device groups.The
Share Unused Address
and Service Objects with Devices
option enables you
to limit the objects that Panorama pushes to the managed firewalls.
Share Unused Address and
Service Objects with Devices
To limit the number of objects pushed
to a set of managed firewalls, add the policy rules to a child device
group and reference shared objects as needed. See Create a Device Group Hierarchy for more information
on creating a child device group.
On lower-end models,
such as the PA-200, consider pushing only the relevant shared objects
to the managed firewalls. This is because the number of objects
that can be stored on the lower-end models is considerably lower
than that of the mid- to high-end models. Also, if you have many
address and service objects that are unused, clearing
Unused Address and Service Objects with Devices
the commit times significantly on the firewalls because the configuration pushed
to each firewall is smaller. However, disabling this option might
increase the commit time on Panorama because Panorama has to dynamically
check whether policy rules reference a particular object.
and edit the Panorama Settings.
Share Unused Address and Service
Objects with Devices
option to push only the shared
objects that rules reference, or select the option to re-enable
pushing all shared objects.