| Where Can I Use This? | What Do I Need? |
- NGFW (Managed by Panorama)
|
- Device Management License
- Panorama administrator or device group administrator
role
|
A policy
target allows you to
specify the firewalls in a device group to which to push policy
rules. It allows you to exclude one or more firewalls or virtual
systems, or to apply a rule only to specific firewalls or virtual systems
in a device group.
As your rulebase evolves and you push new
or modified rules to firewalls, changes and audit information get
lost over time unless they are archived at the time the rule is
created or modified. Use the audit comment archive to view the audit
comment and configuration log history of a selected rule, as well
to compare two policy rule versions to see how the rule changed.
The audit comment history for a rule pushed from Panorama is viewable
only from the Panorama management server. However, you can view
the audit comments in the configurations logs forwarded to Panorama
from managed firewalls. However, the audit comment archive is not
viewable for rules created or modified locally on the firewall.
To ensure that audit comments are captured at the time a rule is
created or modified,
Enforce Policy Rule, Description,
Tag and Audit Comment.
The ability to target a rule enables you to keep policies centralized on Panorama. Targeted rules
allow you to define the rules (as either shared or device group pre- or post-rules)
on Panorama and improve visibility and efficiency when managing the rules (see
Device Group Policies). The audit comment
archive adds further visibility by allowing you to track how and why your policy
rules change over time so you can audit the rule evolution over the course of the
rule lifecycle.