FW specific rules from the Panorama shared policy

PA_nts — Fri, 06 Sep 2024 09:24:59 GMT

Hi All,

Using Panorama (10.1.x) with a number of managed FWs
we have a shared pre policy, parent pre policy and child policies with pre rules configured within.

goal - in event of a security incident on a branch location we want to have a pre-defined deny rule in the parent pre-policy in place that we can just enable and push down to a specific FW that will invoke this deny rule on this FW only...example:

"src zone: any > dst zone: untrust > action deny"

So i want to add a deny rule (will be disabled by default) on my parent pre policy that when enabled, will be targeted to a specific FW and committed.. so then it only applies and enables in on the target FW.

however all the FWs managed has different naming conventions for zones ie sitea_zone_trust, siteb_zone_trust etc..

instead of creating multiple policies in the parent pre rule defining each zone name.. is there a way i can do the following..

when enabling the parent pre policy deny rule.. and selecting the target for it, then to commit it to the FW but then for the FW to automatically ingest the source zone as siteb_trust for instance when the parent pre rule has 'any' defined for this rule?

thanks in adv

Re: FW specific rules from the Panorama shared policy

Raido_Rattameister — Fri, 06 Sep 2024 14:10:16 GMT

If zone names are different then use source address.

So assuming source zone that you want to block is siteb_trust and subnet used is 10.5.5.0/24 then push policy to firewall with source zone any source address 10.5.5.0/24

topic Re: FW specific rules from the Panorama shared policy in General Topics

FW specific rules from the Panorama shared policy

Re: FW specific rules from the Panorama shared policy