Push a Policy Rule to a Subset of Firewalls

A policy
target
allows you to specify the firewalls in a device group to which to push policy rules. It allows you to exclude one or more firewalls or virtual systems, or to apply a rule only to specific firewalls or virtual systems in a device group.
The ability to target a rule enables you to keep policies centralized on Panorama. Targeted rules allow you to define the rules (as shared or device group pre- or post-rules) on Panorama (for details, see Device Group Policies) and improves visibility and efficiency in managing the rules.
  1. Create a rule.
    In this example, we define a pre-rule in the Security rulebase that permits users on the internal network to access the servers in the DMZ.
    1. Select the
      Policies
      tab and select the
      Device Group
      for which you want to define a rule.
    2. Select the rulebase. For this example, select
      Policies
      Security
      Pre-Rules
      .
    3. Click
      Add
      and, in the
      General
      tab, enter a descriptive rule
      Name
      .
    4. In the
      Source
      tab, set the
      Source Zone
      to
      Trust
      .
    5. In the
      Destination
      tab, set the
      Destination Zone
      to
      DMZ
      .
    6. In the
      Service/ URL Category
      tab, set the
      Service
      to
      application-default
      .
    7. In the
      Actions
      tab, set the
      Action
      to
      Allow
      .
    8. Leave all the other options at the default values.
  2. Target the rule to include or exclude a subset of firewalls.
    To apply the rule to a selected set of firewalls:
    1. Select the
      Target
      tab in the Policy Rule window.
    2. Select the firewalls on which you want the rule to apply.
      If you do not select firewalls to target, the rule is added to all of the (unchecked) firewalls in the device group.
      By default, although the check box for the virtual systems in the device group is unchecked, all the virtual systems will inherit the rule on commit. Select the check box for one or more virtual systems to which you want the rule to apply.
    3. (
      Optional
      ) To exclude a subset of firewalls from inheriting the rule, select the check box
      Install on all but specified devices
      .
      If you select
      Install on all but specified devices
      and do not select any firewall, the rule is added to none of the firewalls in the device group.
    4. Click
      OK
      to add the rule.
  3. Commit and push the configuration changes.
    1. Select
      Commit
      Commit and Push
      and
      Edit Selections
      in the Push Scope
    2. Select
      Device Groups
      , select the device group where you added the rule, and click
      OK
      .
    3. Commit and Push
      your changes to the Panorama configuration and to device groups.

Related Documentation