topic Re: Panorama Device groups and pre and post policies in General Topics

Panorama Device groups and pre and post policies

Alex_Samad — Thu, 22 Jun 2017 21:19:54 GMT

Okay just to under stand

if I have a device group

Top

Middle

and I place my device in pa group

and i have rules security

in the pre section

top -> Rule 1

middle -> rule 2

pa -> rule 3

how does that look on the actual PA. if I look at my device security

will the policies be

rule 1

rule 2

rule 3

rule 2

rule 1

and i presume its

any device rules

last question on panorama how can i move a rule from pre to post ?

Re: Panorama Device groups and pre and post policies

acc6d0b3610eec313831f7900fdbd235 — Fri, 23 Jun 2017 03:45:17 GMT

Hi @Alex_Samad

A device group enables grouping based on network segmentation, geographic location, organizational function, or any other common aspect of firewalls that require similar policy configurations. Using device groups, you can configure policy rules and the objects they reference.

To your first question, according to your example, if you have a device placed in the device group PA, with rules 1, 2, 3 and in the pre-rule section, that's the order they will be showed in the actual device; however, the processing of the rules will depend if you create it as pre-rule or post-rule.

Pre Rules: Pre rules are inserted at the top of the rule order and are checked first in the configuration in the pre-rulebase, before the post or locally defined rules. Examples on the use of pre rules are to insert global use rules such as blocking peer-to-peer traffic for all users, or allowing DNS traffic for all users. Additional factors used to decide to use pre only rules are administrative restrictions that do not allow rules to be created locally on the firewalls. In other words, if you have many remote firewalls, and you do not want to allow other administrators to perform changes locally in each firewall, then pre-rule is the way to go. When you configure pre-rules, any policies pushed from Panorama to the device cannot be altered locally on the firewall, instead it has to be always done through Panorama.

Post Rules: Post rules are inserted at the bottom of the rule order and are checked in their configuration order in the post-rulebase, after the pre and locally defined rules. Examples of post rule use are global deny rules, either by appID/service/user/IP based or a combination of, or to create default zone to zone deny rules to use for logging of all blocked traffic. Unlike pre-rules, if you are planning for rule management, it is recommended that Panorama is used to manage a post rule database if admins will be configuring rules locally on the firewall.

Best Practices from Palo Alto are:

Local Rules in Panorama: Unless there is a business requirement, create all policies through Panorama

Use Post-Rules in Panorama: If there is an issue either with the communication to Panorama or Panorama itself, having most of your policy rules in the Post-Rules section allows you to create local policy to override if required.

As for your last question, about moving rules from Pre-Rules to Post-Rules, it is not supported. My recommendation in this case is to use the Palo Alto Migration tool in order to do that. With the Migration Tool, you can connect to the firewall via XML API, and pull all rules into the migration tool. From that point forward, you can select the rules you want to transform in post-rules, and generate an API call to the firewall.

https://live.paloaltonetworks.com/t5/Migration-Tool/ct-p/migration_tool

https://live.paloaltonetworks.com/t5/Migration-Tool-Articles/Migration-Tool-3-Info-and-Guide/ta-p/55294?attachment-id=1060

I hope this helps.

Re: Panorama Device groups and pre and post policies

asamad_1 — Fri, 23 Jun 2017 04:21:03 GMT

Thanks, wish you would have told me these best practise a few weeks ago 🙂

As for device groups not exaclty what i was using for. but did an experiment

again if I have

tier1

tier2

tier3

and I have in pre

tier1

policy 1

tier2

policy 2

tier3

policy 3

policy 4

when I look on <device> they show up as

policy 1

policy 2

policy 3

policy 4

from my read, tier 1 gets processes first and then teir2 etc etc which i sort of understand.

as for the migration tool, Im doing loading it, but would be able to give an example of how to do a partial import of full config use the command line / XML tools, think that would be better to learn.