Manage Unused Shared Objects
When you push configuration changes Device Groups, by default Panorama pushes all shared objects to firewalls whether or not any shared or device group policy rules reference the objects. However, you can configure Panorama to push only the shared objects that rules reference in the device groups.The Share Unused Address and Service Objects with Devices option enables you to limit the objects that Panorama pushes to the managed firewalls.
When Share Unused Address and Service Objects with Devices is disabled, Panorama ignores the Target firewalls when you Push a Policy Rule to a Subset of Firewalls. This means that all objects referenced by any rules are pushed to all firewalls in the device group.
To limit the number of objects pushed to a set of managed firewalls, add the policy rules to a child device group and reference shared objects as needed. See Create a Device Group Hierarchy for more information on creating a child device group.
On lower-end models, such as the PA-200, consider pushing only the relevant shared objects to the managed firewalls. This is because the number of objects that can be stored on the lower-end models is considerably lower than that of the mid- to high-end models. Also, if you have many address and service objects that are unused, clearing Share Unused Address and Service Objects with Devices reduces the commit times significantly on the firewalls because the configuration pushed to each firewall is smaller. However, disabling this option might increase the commit time on Panorama because Panorama has to dynamically check whether policy rules reference a particular object.
- Select PanoramaSetupManagement, and edit the Panorama Settings.
- Clear the Share Unused Address and Service Objects with Devices option to push only the shared objects that rules reference, or select the option to re-enable pushing all shared objects.
- Click OK to save your changes.
- Select CommitCommit to Panorama and Commit your changes.
Device Group Objects
Device Group Objects Objects are configuration elements that policy rules reference, for example: IP addresses, URL categories, security profiles, users, services, and applications. Rules of ...
Manage Device Groups
Manage Device Groups Add a Device Group Create a Device Group Hierarchy Create Objects for Use in Shared or Device Group Policy Revert to Inherited ...
Manage Precedence of Inherited Objects
Manage Precedence of Inherited Objects By default, when device groups at different levels in the Device Group Hierarchy have an object with the same name ...
Create a Device Group Hierarchy
Create a Device Group Hierarchy Plan the Device Group Hierarchy . Decide the device group levels, and which firewalls and virtual systems you will assign ...
Add a Device Group
Add a Device Group After adding firewalls (see Add a Firewall as a Managed Device ), you can group them into Device Groups (up to ...
Migrate a Firewall to Panorama Management
Migrate a Firewall to Panorama Management When you import a firewall configuration, Panorama automatically creates a template to contain the imported network and device settings. ...
Create Objects for Use in Shared or Device Group Policy
Create Objects for Use in Shared or Device Group Policy You can use an object in any policy rule that is in the Shared location, ...