You can Create a Device Group Hierarchy to nest device groups in a tree hierarchy of up to four levels, with
lower-level groups inheriting the settings (policy rules and objects)
of higher-level groups. At the bottom level, a device group can
have parent, grandparent, and great-grandparent device groups (ancestors).
At the top level, a device group can have child, grandchild, and
great-grandchild device groups (descendants). All device
groups inheriting settings from the Shared location—a
container at the top of the hierarchy for configurations that are
common to all device groups.
Creating a device group hierarchy enables you to organize firewalls
based on common policy requirements without redundant configuration.
For example, you could configure shared settings that are global to
all firewalls, configure device groups with function-specific settings
at the first level, and configure device groups with location-specific
settings at lower levels. Without a hierarchy, you would have to configure
both function- and location-specific settings for every device group
in a single level under Shared.
For details on the order in which firewalls evaluate policy rules
in a device group hierarchy, see Device Group Policies. For details on overriding the values of objects that device
groups inherit from ancestor device groups, see Device Group Objects.