topic Re: Change device group tree in General Topics

Change device group tree

ChristianBolelli — Fri, 03 Jun 2022 08:20:44 GMT

Hello,

Now my Panorama managing 4 cluster, 3 in Emea and 1 in US.

This the Device Group organization.

Shared

Cluster 1
Cluster 2
Cluster 3
Cluster 4

Now we want to modify the organization to split the Emea Cluster and US Cluster:

Shared

Emea:
1. Cluster1
2. cluster2
3. cluster3
US:
1. Cluster1

Should be easy like that:

Create 2 new empty Device Gruop "Emea" and "US" (parent device group will be Shared)
For each cluster change the "Parent Device Gruop" from "shared" to the dedicated Region DG.
Commit

It's only a Panorama organizations or there are an consequences on the fws that can create an outage and I have to consider?

Re: Change device group tree

ChristianBolelli — Tue, 07 Jun 2022 07:36:50 GMT

any advice?

Re: Change device group tree

aleksandar.astardzhiev — Tue, 07 Jun 2022 14:28:56 GMT

Hi @ChristianBolelli ,

As long as "Emea" and "US" device-groups are completely empty it shouldn't have any difference for the actuall firewall configuration or any traffic interruption.

You may still need to "push" config to devices if Panorama show firewall config out of sync. But you could confirm that nothing will change for the firewall, by "preview changes" (Push to Devices -> Edit Selections -> Device Groups -> Preview Changes")

Re: Change device group tree

ChristianBolelli — Tue, 07 Jun 2022 14:41:21 GMT

Ah yes, now "Emea"and "US" are two DG where I can put a regional rules.
For example on my scenario I can put under the Emea policy a rule that will be pushed on all 3 cluster but If the Emea and US still empty the firewall rule will be the same.

Right?

Re: Change device group tree

aleksandar.astardzhiev — Tue, 07 Jun 2022 15:02:39 GMT

Hi @ChristianBolelli ,

That is correct. Each device groups will inherint the rules from it parent.

I would like to think for device groups as of onion layers as the parent device groups are the outter layers and the child are the inner layers.

Above image represent the final rule order pushed to the device. Sorry I couldn't found image with multiple device group, but the principle is the same. In your case it should look like
Share Pre-prolicies

Emea Pre-policies

Cluster1 Pre-policies

Local policies

Cluster1 Post-policies

Emea Post-policies

Shared Post policies

If your Emea device group is empty...Nothing will really change for the firewall policy and rule order.

If you add Pre-rule in Emea device group it will be inherited by all emea clusters and that rule will be placed above any pre-rules defined in the clusterX device groups

Hope this make sense, not sure if I manage to explaint it in a good way.