topic Nested Palo Alto Object Groups in General Topics

Nested Palo Alto Object Groups

apackard — Tue, 06 Mar 2012 12:21:37 GMT

Hi,

Does anyone know if there are any recommendations on the use of nested groupings within PA policies - specifically the PA objects?

In terms of maintaining 'easy to read' policies I wanted to make use of nesting to keep the policies simple, which will mean using nesting up to around 3 tiers - see following random example:-

Win2k8_Server_DC -- in grp --> Domain Controllers -- in grp --> UK DNS Servers -- in grp --> Global DNS Servers

My question is whether this level of nesting is recommended for Palo's; specifically whether it puts any additional strain on the policy compilation/commit process and/or running processes.

Cheers

Re: Nested Palo Alto Object Groups

sdurga — Tue, 06 Mar 2012 23:32:41 GMT

I dont think there is any limitation on the level of grouping. you can try this using a test address and create a rule. See if your are hitting the right rule when the traffic is coming from the corresponding address (nested address group in this case).

Tx,
Sandeep T

Re: Nested Palo Alto Object Groups

apackard — Tue, 06 Mar 2012 23:38:58 GMT

Cheers.

I know that the nested groups 'work', it's more a question whether using them has any performance impact. I've found that some functionality within the UI and policy structure can have a detrimental effect - especially during commiting - and was wondering whether there are any recommendations.

Will have a hunt round and maybe do some comparitive testing to see if I can judge for myself!

Rgds