topic Re: Panorama-shared objects in General Topics

Panorama-shared objects

SThatipelly — Wed, 08 Jun 2022 15:16:11 GMT

I am just setting up a panorama with 25 managed firewalls.

How can I have shared objects that are only shared between few firewalls but not all? My perimneter firewalls have huge number of objects which I would not like sharing with other remote firewalls but to some datacenter firewalls. how can I achieve this?

Thanks.

Re: Panorama-shared objects

BPry — Wed, 08 Jun 2022 18:20:42 GMT

@SThatipelly,

Take a look at this document https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/manage-device-groups/manage-unused-shared-objects

Panorama has the option to disable the Share Unused Address and Service Objects with Devices (which is enabled by default) so that you're only sharing objects if it's actually needed in the configuration.

Re: Panorama-shared objects

aleksandar.astardzhiev — Fri, 10 Jun 2022 14:26:00 GMT

Hi @SThatipelly ,

In addition to what @BPry explained I would also suggest to organize your device group in hierarchical structure

Something like this:

Shared

-- Perimeter-FWs

---- Perimeter-FW-01

---- Perimeter-FW-02

---- Perimeter-FW-03

-- DataCenter-FWs

---- DataCenter-FW-01

---- DataCenter-FW-02

---- DataCenter-FW-03

- Everything defined in "Shared" device group will be inherited by all device groups. This is build-in device-group which always sits on top.

- Everything defined in "Perimeter-FWs" will be inherited only by device groups that are children of this group

- Everything defined in "DataCenter-FWs" will be inherited only by device groups that are children of this group

Probably better explanation could be found here - https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-hierarchy