By default, when device groups at different
levels in the Device Group Hierarchy have
an object with the same name but different values (because of overrides,
as an example), policy rules in a descendant device group use the
object values in that descendant instead of using object values
inherited from ancestor device groups. Optionally, you can reverse
this order of precedence to push values from the highest ancestor
containing the object to all descendant device groups. After you
enable this option, the next time you push configuration changes
to device groups, the values of inherited objects replace the values
of any overridden objects in the descendant device groups. The figure
below demonstrates the precedence of inherited objects in a device
If a firewall has locally defined objects
with the same name as shared or device group objects that Panorama
pushes, a commit failure occurs.
If you want to revert a specific
overridden object to its ancestor values instead of pushing ancestor
values to all overridden objects, see Revert to Inherited Object Values.
edit the Panorama Settings.
If you want to reverse the default order of precedence,
Objects defined in ancestors will take higher
. The dialog then displays the
link, which provides the option to
see how many overridden (shadowed) objects will have ancestor values
after you commit this change. You can hover over the quantity message
to display the object names.
If you want to revert to the default order of precedence,
Objects defined in ancestors will take higher precedence
only detects a Shared device group
object that shares a name with another object in the device group.
to save your changes.
) If you selected
defined in ancestors will take higher precedence
does not push the ancestor objects until you push configuration
changes to device groups: select