Use Device Groups to Push Policy Rules

The third task in Use Case: Configure Firewalls Using Panorama is to create the device groups to manage policy rules on the firewalls.
  1. Create device groups and assign the appropriate firewalls to each device group: see Add a Device Group.
    In this example, create device groups named DG_BranchAndRegional and DG_DataCenter.
    When configuring the DG_BranchAndRegional device group, you must assign a
    Master
    firewall. This is the only firewall in the device group that gathers user and group mapping information for policy evaluation.
  2. Create a shared pre-rule to allow DNS and SNMP services.
    1. Create a shared application group for the DNS and SNMP services.
      1. Select
        Objects
        Application Group
        and click
        Add
        .
      2. Enter a
        Name
        and select the
        Shared
        check box to create a shared application group object.
      3. Click
        Add
        , type
        DNS
        , and select
        dns
        from the list. Repeat for SNMP and select
        snmp
        ,
        snmp-trap
        .
      4. Click
        OK
        to create the application group.
    2. Create the shared rule.
      1. Select the
        Policies
        tab and, in the
        Device Group
        drop-down, select
        Shared
        .
      2. Select the
        Security
        Pre-Rules
        rulebase.
      3. Click
        Add
        and enter a
        Name
        for the security rule.
      4. In the
        Source
        and
        Destination
        tabs for the rule, click
        Add
        and enter a
        Source Zone
        and a
        Destination Zone
        for the traffic.
      5. In the
        Applications
        tab, click
        Add
        , type the name of the applications group object you just created, and select it from the drop-down.
      6. In the
        Actions
        tab, set the
        Action
        to
        Allow
        , and click
        OK
        .
  3. Define the corporate acceptable use policy for all offices. In this example, create a shared rule that restricts access to some URL categories and denies access to peer-to-peer traffic that is of risk level 3, 4, or 5.
    1. Select the
      Policies
      tab and, in the
      Device Group
      drop-down, select
      Shared
      .
    2. Select
      Security
      Pre-Rules
      and click
      Add
      .
    3. In the
      General
      tab, enter a
      Name
      for the security rule.
    4. In the
      Source
      and
      Destination
      tabs, click
      Add
      and select
      any
      for the traffic
      Source Zone
      and
      Destination Zone
      .
    5. In the
      Application
      tab, define the application filter:
      1. Click
        Add
        and click
        New Application Filter
        in the footer of the drop-down.
      2. Enter a
        Name
        , and select the
        Shared
        check box.
      3. In the Risk column, select levels
        3
        ,
        4
        , and
        5
        .
      4. In the Technology column, select
        peer-to-peer
        .
      5. Click
        OK
        to save the new filter.
    6. In the
      Service/URL Category
      tab, URL Category section, click
      Add
      and select the categories you want to block (for example,
      streaming-media
      ,
      dating
      , and
      online-personal-storage
      ).
    7. You can also attach the default URL Filtering profile—In the
      Actions
      tab, Profile Setting section, select the
      Profile Type
      option
      Profiles
      , and select the
      URL Filtering
      option
      default
      .
    8. Click
      OK
      to save the security pre-rule.
  4. Allow Facebook for all users in the Marketing group in the regional offices only.
    Enabling a security rule based on user and group has the following prerequisite tasks:
    1. Select the
      Policies
      tab and, in the
      Device Group
      drop-down, select DG_BranchAndRegional.
    2. Select the
      Security
      Pre-Rules
      rulebase.
    3. Click
      Add
      and enter a
      Name
      for the security rule.
    4. In the
      Source
      tab,
      Add
      the Source Zone that contains the Marketing group users.
    5. In the
      Destination
      tab,
      Add
      the Destination Zone.
    6. In the
      User
      tab,
      Add
      the Marketing user group to the Source User list.
    7. In the
      Application
      tab, click
      Add
      , type
      Facebook
      , and then select it from the drop-down.
    8. In the
      Action
      tab, set the
      Action
      to
      Allow
      .
    9. In the
      Target
      tab, select the regional office firewalls and click
      OK
      .
  5. Allow access to the Amazon cloud application for the specified hosts/servers in the data center.
    1. Create an address object for the servers/hosts in the data center that need access to the Amazon cloud application.
      1. Select
        Objects
        Addresses
        and, in the
        Device Group
        drop-down, select DG_DataCenter.
      2. Click
        Add
        and enter a
        Name
        for the address object.
      3. Select the
        Type
        , and specify an IP address and netmask (
        IP Netmask
        ), range of IP addresses (
        IP Range
        ), or
        FQDN
        .
      4. Click
        OK
        to save the object.
    2. Create a security rule that allows access to the Amazon cloud application.
      1. Select
        Policies
        Security
        Pre-Rules
        and, in the
        Device Group
        drop-down, select DG_DataCenter.
      2. Click
        Add
        and enter a
        Name
        for the security rule.
      3. Select the
        Source
        tab,
        Add
        the Source Zone for the data center, and
        Add
        the address object (Source Address) you just defined.
      4. Select the
        Destination
        tab and
        Add
        the Destination Zone.
      5. Select the
        Application
        tab, click
        Add
        , type
        amazon
        , and select the Amazon applications from the list.
      6. Select the
        Action
        tab and set the
        Action
        to
        Allow
        .
      7. Click
        OK
        to save the rule.
  6. To enable logging for all internet-bound traffic on your network, create a rule that matches trust zone to untrust zone.
    1. Select the
      Policies
      tab and, in the
      Device Group
      drop-down, select
      Shared
      .
    2. Select the
      Security
      Pre-Rules
      rulebase.
    3. Click
      Add
      and enter a
      Name
      for the security rule.
    4. In the
      Source
      and
      Destination
      tabs for the rule,
      Add
      trust_zone
      as the Source Zone and
      untrust_zone
      as the Destination Zone.
    5. In the
      Action
      tab, set the
      Action
      to
      Deny
      , set the
      Log Setting
      to
      Log at Session end
      , and click
      OK
      .

Related Documentation