After adding firewalls (see Add a Firewall as a Managed Device),
you can group them into Device Groups (up to
1,024), as follows. Be sure to assign both firewalls in an active-passive
high availability (HA) configuration to the same device group so
that Panorama will push the same policy rules and objects to those
firewalls. PAN-OS doesn’t synchronize pushed rules across HA peers.
To manage rules and objects at different administrative levels in
your organization, Create a Device Group Hierarchy.
, and click
Enter a unique
identify the device group.
In the Devices section, select check boxes to assign
firewalls to the group. To search a long list of firewalls, use
You can assign any firewall to only one device group.
You can assign each virtual system on a firewall to a different
In the Reference Template section,
templates or template stacks with objects referenced by the device
You must assign the appropriate template or template stack
references to the device group in order to successfully associate
the template or template stack to the device group. This allows
you to reference objects configured in a template or template stack
without adding an unrelated device to a template stack.
this step if the device group configuration does not reference any
objects configured in a template or template stack.
Group HA Peers
firewalls that are HA peers.
You can only group managed firewall HA peers if they are
in the same device group.
The firewall name of the
passive or active-secondary peer is in parentheses. Grouping HA
peers is a visual change and no configuration change occurs.
Parent Device Group
) that will be just above the device
group you are creating in the device group hierarchy.
If your policy rules will reference users and groups,
This will be the only firewall in the device group from
which Panorama gathers username and user group information.
to save your changes.
your changes to the Panorama configuration and
to the device group you added.